title: Multiple vulnerabilities in Sosci Survey product: Sosci Survey
vulnerable version: <2.3.04a fixed version: 2.3.04a impact: Critical homepage: https://www.soscisurvey.de found: 2012-06-18 by: T. Lazauninkas, V. Paulikas SEC Consult Vulnerability Lab https://www.sec-consult.com =======================================================================
1) Authorization Issues The web application fails to validate authorization for certain requests. This allows unauthorized users to access private messages that belong to other users.
3) Remote command execution Due to insufficient input validation, the web application fails to properly filter dangerous PHP code passed from the user side. This leads to OS command execution with the privileges of the web server. By exploiting this vulnerability, an attacker can read/write files, open connections, etc. posing a critical security risk.
1) In the user profile, users are able to send and receive private messages to each other. This also includes the administrative users. By modifying one of the vulnerable script's parameters an attacker can read the messages of other users. A proof of concept is provided below:
By iterating between the integer parameter's id value, an attacker is able to exploit this vulnerability.
An alert with the user's session cookie will be shown.
Persistent Cross-Site scripting was identified in the private messaging module. It was discovered, that [subject, title, firstName, surname, content] parameters are vulnerable to persistent Cross-Site scripting as they are saved and later shown without proper filtering. A sample request is provided below:
POST /admin/index.php HTTP/1.1 Host: www.example.com [...] rec-name=some_name&subject=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E &message=asd%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&o=account &a=message.send&reference=
Many parameters are vulnerable to reflected Cross-Site Scripting vulnerabilities:
Parameters: replace[0-24] search[0-24] id O Referer (header)
3) When creating a new survey it is possible to include PHP code. Despite that the web application is filtering most of the dangerous PHP functions, that would allow to execute OS commands, it is still possible to execute arbitrary commands by using the provided code below:
The above code, when executed, prints out the system id of the current user. This could be further exploited by an attacker for accessing the local file system, creating malicious files, opening remote conections, etc.
Pre-installed version of SoSci Survey, hosted on www.soscisurvey.de domain, was tested. It was not possible to determine an exact version of the installed software.
2013-01-29: Contacted vendor through email@example.com 2013-01-29: Initial vendor response - issues will be verified 2013-03-29: Status request sent 2013-03-29: Vendor response: Security update 2.3.04a is available 2013-04-17: SEC Consult releases coordinated security advisory
Update to version 2.3.04a.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Unternehmensberatung GmbH
Office Vienna Mooslackengasse 17 A-1190 Vienna Austria
Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com https://www.sec-consult.com
EOF T. Lazauninkas, V. Paulikas / @2013