Axous 1.1.1 multiple defects (CSRF-persistent XSS)-a vulnerability warning-the black bar safety net

2012-05-19T00:00:00
ID MYHACK58:62201233917
Type myhack58
Reporter 佚名
Modified 2012-05-19T00:00:00

Description

Title: Axous 1.1.1 Multiple Vulnerabilities (CSRF - Persistent XSS)

Author: Ivano Binetti (http://www.ivanobinetti.com)

Software download: http://www.axous.com/get.php?pid=1

App developer website: http://www.axous.com/

Affects versions : 1.1.1 and lower

Test system : Debian Squeeze (6.0)

--------------------------------------------------------------------------------------+

Description

1)Description

2)defect description

2.1 CSRF

2.2 Persistent XSS

3)Test to prove

3.1 Exploit CSRF (Add admin)

3.2 Exploit Persistent XSS

3.2.1 Exploit "page_title"

3.2.2 Exploit "category_name[1]"

3.2.3 Exploit "site_name", "seo_title" and "meta_keywords"

3.2.4 Exploit "company_name", "address1", "address2", "city", "state", "country", "author_first_name", "author_last_name", "author_email", etc

3.2.5 Exploit "system_email", "sender_name", "smtp_server", "smtp_username", "smtp_password", "order_notice_email"

+--------------------------------------------------------------------------+

1)Introduction

Axous "is an e-shop system for software venders. With Axous, you can setup a professional software site, start selling your product with PayPal

ExpressCheckout, and send regcode to your customers automaticly in 5 minutes".

2)Vulnerability Description

2.1 CSRF

Axous 1.1.1 (And below) suffers from multiple CSRF vulnerabilities which could allow an attacker to change any parameters when an authenticated

user/admin browses a special crafted web page.

In this Advisory I will only demonstrate how to add a new administrator but, with little modifications to my exploit, you can modify any Axous's

parameters, as Axous does not use an anti-CSRF token.

2.2 Persistent XSS

Axous 1.1.1 (and below) is prone to multiple persistent XSS vulnerabilities due to an improper input sanitization of the following parameters:

- "page_title" passed to server side logic (path: "admin/content_pages_edit.php") via http POST method.

Exploiting the "page_title" parameter an authenticated administrator could insert arbitrary code in "Title" field, and execute it

when another administrator clicks on "Pages" link or on that specific pages under the "Title" menu.

Furthermore injected code will generate a persistent XSS for all unauthenticated users visiting that web page.

- "category_name[1]" passed to server side logic (path:"admin/products_category.php") via http POST method.

Exploiting "category_name[1]" parameter an administrator could insert arbitrary code in "Category" field (under "Control Panel > Products")

and create a persistent XSS for another administrator who clicks on the "Add New" button (always under the "Control Panel > Products").

-"site_name", "seo_title" and "meta_keywords" parameters passed to "admin/settings_siteinfo.php" script via http POST method.

Exploiting these parameters an authenticated administrator could insert arbitrary code and create a persistent XSS for another administrator

who clicks "Site info" link under the Settings menu.

- "company_name", "address1", "address2", "city", "state", "country", "author_first_name", "author_last_name", "author_email", "contact_first_name",

[1] [2] next