SEC Consult 20130417-0 :: Multiple vulnerabilities in Sosci Survey


SEC Consult Vulnerability Lab Security Advisory < 20130417-0 > ======================================================================= title: Multiple vulnerabilities in Sosci Survey product: Sosci Survey vulnerable version: <2.3.04a fixed version: 2.3.04a impact: Critical homepage: https://www.soscisurvey.de found: 2012-06-18 by: T. Lazauninkas, V. Paulikas SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor description: ------------------- SoSci Survey provides a non-comercial survey service, letting anyone to create and share surveys for collecting data in a purpose of scientific research. It is a flexible and efficient tool as it lets you to create a very customizable survey, including active content (javascript) and PHP code. https://www.soscisurvey.de/ Vulnerability overview/description: ----------------------------------- 1) Authorization Issues The web application fails to validate authorization for certain requests. This allows unauthorized users to access private messages that belong to other users. 2) Cross-Site Scripting The web application is prone to persistent and reflected Cross-Site Scripting attacks. The vulnerability can be used to include HTML or JavaScript code to the affected web page. The code is executed in the browser of users if they visit the manipulated site. The vulnerability can be used to change the contents of the displayed site, redirect to other sites or steal user credentials. Additionally, Portal users are potential victims of browser exploits and JavaScript Trojans. 3) Remote command execution Due to insufficient input validation, the web application fails to properly filter dangerous PHP code passed from the user side. This leads to OS command execution with the privileges of the web server. By exploiting this vulnerability, an attacker can read/write files, open connections, etc. posing a critical security risk. Proof of concept: ----------------- 1) In the user profile, users are able to send and receive private messages to each other. This also includes the administrative users. By modifying one of the vulnerable script's parameters an attacker can read the messages of other users. A proof of concept is provided below: https://www.example.com/admin/index.php?o=account&a=message.reply&id=[msg_id] By iterating between the integer parameter's id value, an attacker is able to exploit this vulnerability. 2) If an invalid id value is passed to the receiver.edit module, which is handled by the index.php script, its contents is reflected to the user without proper filtering. This leads to javascript execution in the web browser. This issue can be easily exploited by navigating to the folowing URL: https://www.example.com/admin/index.php?o=panel&a=receiver.edit&id=<script>alert(document.cookie)</script> An alert with the user's session cookie will be shown. Persistent Cross-Site scripting was identified in the private messaging module. It was discovered, that [subject, title, firstName, surname, content] parameters are vulnerable to persistent Cross-Site scripting as they are saved and later shown without proper filtering. A sample request is provided below: POST /admin/index.php HTTP/1.1 Host: www.example.com [...] rec-name=some_name&subject=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E &message=asd%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&o=account &a=message.send&reference= Many parameters are vulnerable to reflected Cross-Site Scripting vulnerabilities: URL: https://www.example.com/admin/index.php Parameters: replace[0-24] search[0-24] id O Referer (header) URL: https://www.example.com/admin/ajax.feedback.php Parameters: dat_type 3) When creating a new survey it is possible to include PHP code. Despite that the web application is filtering most of the dangerous PHP functions, that would allow to execute OS commands, it is still possible to execute arbitrary commands by using the provided code below: print `id`; The above code, when executed, prints out the system id of the current user. This could be further exploited by an attacker for accessing the local file system, creating malicious files, opening remote conections, etc. Vulnerable / tested versions: ----------------------------- Pre-installed version of SoSci Survey, hosted on www.soscisurvey.de domain, was tested. It was not possible to determine an exact version of the installed software. Vendor contact timeline: ------------------------ 2013-01-29: Contacted vendor through info@soscisurvey.de 2013-01-29: Initial vendor response - issues will be verified 2013-03-29: Status request sent 2013-03-29: Vendor response: Security update 2.3.04a is available 2013-04-17: SEC Consult releases coordinated security advisory Solution: --------- Update to version 2.3.04a. Workaround: ----------- Advisory URL: ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Unternehmensberatung GmbH Office Vienna Mooslackengasse 17 A-1190 Vienna Austria Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com https://www.sec-consult.com EOF T. Lazauninkas, V. Paulikas / @2013