eSyndiCat Pro 2.4.1 CSRF / XSS / SQL Injection

2012-06-14T00:00:00
ID PACKETSTORM:113663
Type packetstorm
Reporter Benjamin Kunz Mejri
Modified 2012-06-14T00:00:00

Description

                                        
                                            `  
Title:  
======  
eSyndiCat Pro v2.4.1 - Multiple Web Vulnerabilities  
  
  
Date:  
=====  
2012-05-19  
  
  
References:  
===========  
http://www.vulnerability-lab.com/get_content.php?id=575  
  
  
VL-ID:  
=====  
575  
  
  
Common Vulnerability Scoring System:  
====================================  
7.1  
  
  
Introduction:  
=============  
eSyndiCat is a full featured php directory software that can be used as an addition to your existing site   
or as a stand-alone platform. Using eSyndiCat Directory Software your website can achieve top rank and take   
the leading positions in the most popular search engines! Powering 45,000+ Successful Directories Since 2005  
It is no wonder why eSyndiCat is one of the most popular php directory scripts since 2005. eSyndiCat is more   
than just a directory software. It can be easily used as a business directory script, article directory software,   
bidding directory script, church directory software and more.  
  
(Copy of the Vendor Homepage: http://www.esyndicat.com )  
  
  
Abstract:  
=========  
The Vulnerability Laboratory Research Team discovered multiple Web Vulnerabilities in eSyndiCat Pro v2.4.1 Service & Management System.   
  
  
Report-Timeline:  
================  
2012-05-19: Public or Non-Public Disclosure  
  
  
Status:  
========  
Published  
  
  
Exploitation-Technique:  
=======================  
Remote  
  
  
Severity:  
=========  
High  
  
  
Details:  
========  
1.1  
Multiple SQL Injection vulnerabilities are detected in the eSyndiCat Pro v2.4.1 Service Application & Management System.  
The vulnerability allows an attacker (remote) to inject/execute own sql commands on the affected application dbms.   
The vulnerabilities are located in multiple application files when processing to request (POST) via cvs importer the   
Delimiter or when processing to add rss feeds with manipulated Number of items. Successful exploitation of the vulnerability   
results in dbms, service & application compromise.   
  
Vulnerable Module(s):  
[+] CVS Import - Delimiter  
[+] RSS ADD - Number of items  
  
Vulnerable Parameter(s):  
[+] num & delimiter num  
  
  
1.2  
Multiple persistent input validation vulnerabilities are detected in the eSyndiCat Pro v2.4.1 Service Application CMS.   
The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent).   
The persistent vulnerabilities are located in the input fields of the account username, new listing descriptionname &   
controller suggest name. The persistent script code (HTML/JS) get executed out of the listing or username profile webpage   
context. Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent)   
context manipulation. Exploitation requires low user inter action & low privileged user account.   
  
Vulnerable Module(s):   
[+] Accounts > Username  
[+] New Listings > Description of the Listing  
[+] Controller > Suggest Listing & Inputs  
  
  
1.3  
A cross site request forgery vulnerability is detected in eSyndiCat Pro v2.4.1 Service Application & Management System.   
The bugs allow remote attackers with high required user inter action to edit user accounts. Successful exploitation can   
lead to account creation. To exploit the issue the attacker need to create a manipulated copy the edit user mask/form.   
Inside of the document the remote can implement his own values for the update because of no form or token protection.   
When admin get now forced to execute the script via link he is executing the new value on the update of the application   
if his session is not expired.  
  
Vulnerable Module(s):  
[+] Add Administrator Accounts - Form  
  
  
Proof of Concept:  
=================  
1.1  
The sql injection vulnerabilities can be exploited by remote attackers with privileged user account & without user inter action.  
For demonstration or reproduce ...  
  
PoC:  
http://127.0.0.1:8080/admin/controller.php?plugin=import_csv > Delimiter [POST]  
  
  
POSTDATA =-----------------------------  
-----------------------------133572933723271  
Content-Disposition: form-data; name="delimeter"  
  
-1'  
-----------------------------133572933723271  
Content-Disposition: form-data; name="parse"  
  
Parse  
-----------------------------133572933723271--  
  
  
  
-----------------------------130222961710112  
Content-Disposition: form-data; name="csvfile"; filename="1.csv"  
Content-Type: application/x-download  
  
hackhack-test  
-----------------------------130222961710112  
Content-Disposition: form-data; name="delimeter"  
  
-1' VL  
-----------------------------130222961710112  
Content-Disposition: form-data; name="parse"  
  
Parse  
-----------------------------130222961710112--  
  
  
-----------------------------238692936112896  
Content-Disposition: form-data; name="delimeter"  
  
-1'  
-----------------------------238692936112896  
Content-Disposition: form-data; name="parse"  
  
Parse  
-----------------------------238692936112896--  
  
&&   
  
POSTDATA=  
57185fdd52  
&title=research&url=http://test.com  
&num=[SQL Injection]  
&status=active&goto=  
list&categories=&save=Add  
  
http://127.0.0.1:8080/admin/controller.php?plugin=rss&do=add > Number of items  
  
  
--- SQL Exception Logs ---  
WARNING: mysql_list_fields() [function.mysql-list-fields]: Unable to save MySQL query   
result [ 16 May 2012 23:41:11 ] in cms/plugins/import_csv/admin/index.php:69  
  
WARNING: mysql_num_fields(): supplied argument is not a valid MySQL result resource   
[ 16 May 2012 23:41:11 ] in cms/plugins/import_csv/admin/index.php:70  
  
... or  
  
Database query error:  
Error: Unknown column id_block in field list   
  
UPDATE `v23s_blocks` SET `id_block` = 0 WHERE `id` = 6  
  
  
  
  
  
1.2  
The persistent input validation vulnerabilities can be exploited by remote attackers with low required user inter action.  
For demonstration or reproduce ...  
  
Review: User Account - Listing (After persistent script code inject)  
  
<td class="x-grid3-col x-grid3-cell x-grid3-td-2 " style="width: 379px;" tabindex="0">  
<div id="ext-gen94" class="x-grid3-cell-inner x-grid3-col-2" unselectable="on">  
"><[PERSISTENT SCRIPT CODE]("</div'></td><  
  
URL: http://127.0.0.1:8080/bambam/admin/controller.php?file=accounts - username & email  
  
Reference(s):  
http://127.0.0.1:8080/articles/admin/controller.php?file=accounts&id=2 (USERNAME+[PERSISTENT SCRIPT CODE])  
http://127.0.0.1:8080/articles/new-listings.html (Description+[PERSISTENT SCRIPT CODE])  
http://127.0.0.1:8080/articles/admin/controller.php?file=suggest-listing&id=0 (SUGGEST TITLE+[PERSISTENT SCRIPT CODE])  
  
  
1.3  
The cross site request forgery vulnerability can be exploited by remote attackers with high required user inter action.  
For demonstration or reproduce ...  
  
URL: http://127.0.0.1:8080/articles/admin/controller.php?file=admins&do=add   
  
> ID=1 <= Admin ;)  
> ID=2  
> ID=3  
> ID=4  
> ID=5  
  
- NAME > PASS > ID := 1  
  
  
Risk:  
=====  
1.1  
The security risk of the sql injection vulnerabilities are estimated as high(-).  
  
1.2  
The security risk of the persistent input validation vulnerabilities are estimated as medium(+).  
  
1.3  
The security risk of the cross site request forgery vulnerability is estimated as low(+).  
  
  
Credits:  
========  
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri [Rem0ve] (bkm@vulnerability-lab.com)  
  
  
Disclaimer:  
===========  
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,   
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-  
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business   
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some   
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation   
may not apply.  
  
Domains: www.vulnerability-lab.com - www.vuln-lab.com  
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com  
Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - irc.vulnerability-lab.com  
  
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.   
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of   
other media, are reserved by Vulnerability-Lab Research Team or its suppliers.  
  
Copyright © 2012 Vulnerability-Lab  
  
  
  
  
--   
VULNERABILITY RESEARCH LABORATORY TEAM  
Website: www.vulnerability-lab.com  
Mail: research@vulnerability-lab.com  
`