Incomedia WebSite X5 Evolution 9.0.4.1748 XSS / Bypass

2012-11-26T00:00:00
ID PACKETSTORM:118367
Type packetstorm
Reporter Akastep
Modified 2012-11-26T00:00:00

Description

                                        
                                            `=========================================  
Vulnerable Software: Incomedia WebSite X5 Evolution <= 9.0.4.1748 (All versions)  
Vendor: www.websitex5.com  
Vulns: XSS && Auth Bypass  
Software License: Commercial  
Dork 1: inurl:imsearch.php  
Dork 2: intitle:WebSite X5 Manager inurl:/admin/header.php  
=========================================  
  
  
About Software:  
==========================================  
WebSite X5 Evolution 9 is the most versatile and complete solution you'll find  
for creating eye-catching, functional and professional websites, blogs and  
online stores.  
  
You'll be surprised at how easy WebSite X5 Evolution 9 is to use, but what is  
perhaps most amazing is the sheer power and totality of the features it offers.  
  
http://www.websitex5.com/en/evolution-9.html  
  
*Nice Software and easy to use.*  
==========================================  
  
About Vulnerabilities:  
  
  
  
[*] XSS: [*]  
site.tld/imsearch.php?search="\><script>alert(1);</script>  
  
  
  
Fix:  
  
Open imsearch.php and find:  
  
=============VULNERABLE CODE==============  
  
<?php  
$search = new imSearch();  
$search->search(@$_GET['search'], @$_GET['page']);  
?>  
  
  
==========END OF VULNERABLE CODE==========  
  
  
  
REPLACE WITH:  
  
  
==============FIXED CODE====================  
  
<?php  
$search = new imSearch();  
$search->search(@htmlspecialchars($_GET['search']), htmlspecialchars(@$_GET['page']));  
?>  
  
===========END OF FIXED CODE================  
  
  
  
  
[*] Second vulnerability is Authentication Bypass. [*]  
  
  
  
  
Vulnerable code: site.tld/admin/checkaccess.php  
  
========= BEGIN VULNERABLE CODE ===========  
  
  
<?php  
require_once("../res/x5engine.php");  
$login = new imPrivateArea();  
if ($login->checkAccess("admin/" . basename($_SERVER['PHP_SELF'])) !== 0) {  
if (basename($_SERVER['HTTP_REFERER']) == "login.php")  
header("Location: login.php?error");  
else  
header("Location: login.php");  
}  
else  
$logged = TRUE;  
  
// End of file checkaccess.php  
  
==========END OF VULNERABLE CODE==========  
  
  
Notice flaw: Script continues execution.  
  
  
  
For reproduce:  
===============================================  
  
Using Fiddler intercept the traffic from your browser and you will get output from scripts execution.  
Print screen:  
http://oi47.tinypic.com/f21sf7.jpg  
  
==================== RAW=======================  
HTTP/1.1 302 Found  
Date: Sun, 25 Nov 2012 01:13:19 GMT  
Server: Apache  
Set-Cookie: ASPX=pfsnkn5ccps9u15pa0r4of6lodesg6lq; path=/  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0  
Pragma: no-cache  
Location: login.php  
Content-Length: 1188  
Keep-Alive: timeout=5, max=100  
Connection: Keep-Alive  
Content-Type: text/html  
  
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">  
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="it" lang="it" dir="ltr">  
<head>  
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />  
<meta http-equiv="Content-Language" content="it" />  
<meta http-equiv="Content-Type-Script" content="text/javascript" />  
<meta http-equiv="ImageToolbar" content="False" />  
<meta name="MSSmartTagsPreventParsing" content="True" />  
<script type="text/javascript" src="../res/jquery.js"></script>  
<script type="text/javascript" src="../res/x5engine.js"></script>  
<link rel="stylesheet" type="text/css" href="template.css" media="screen" />  
<title>WebSite X5 Manager</title>  
</head>  
<body>  
<div id="imAdminPage">  
<div id="imBody">  
<div class="imSectionTitle"></div>  
<div class="imContent">  
<div class="imTest pass">Версия PHP: 5.2.17<span>PASS</span></div>  
<div class="imTest pass">Поддержка сессии<span>PASS</span></div>  
<div class="imTest pass">Путь к публичной папке на сервере<span>PASS</span></div>  
</div>  
</div>  
</div>  
</body>  
  
  
===============EOF RAW==================  
  
  
  
If your checkaccess.php isn't patched every file on /admin/*.php is vulnerable.  
  
  
  
  
  
Fixed Code:  
site.tld/admin/checkaccess.php  
  
==============BEGIN =FIXED CODE=================  
<?php  
require_once("../res/x5engine.php");  
$login = new imPrivateArea();  
if ($login->checkAccess("admin/" . basename($_SERVER['PHP_SELF'])) !== 0)  
{  
if (basename($_SERVER['HTTP_REFERER']) == "login.php")  
{  
header("Location: login.php?error");  
exit;  
}  
  
else  
{  
header("Location: login.php");  
exit;  
}  
}  
else  
{  
$logged = TRUE;  
}  
  
// End of file checkaccess.php  
  
===============END OF FIXED CODE================  
  
  
**Vendor notified about this advisory.**  
  
  
================================================  
SHOUTZ+RESPECTS+GREAT THANKS TO ALL MY FRIENDS:  
================================================  
packetstormsecurity.org  
packetstormsecurity.com  
packetstormsecurity.net  
securityfocus.com  
cxsecurity.com  
security.nnov.ru  
securtiyvulns.com  
securitylab.ru  
secunia.com  
securityhome.eu  
exploitsdownload.com  
exploit-db.com  
osvdb.com  
websecurity.com.ua  
  
to all Aa Team + to all Azerbaijan Black HatZ  
+ *Especially to my bro CAMOUFL4G3 *  
To All Turkish Hackers  
  
Also special thanks to: ottoman38 & HERO_AZE  
================================================  
  
/AkaStep  
`