EmbryoCore CMS v1.03 Multiple Web Vulnerabilities

2012-04-14T00:00:00
ID 1337DAY-ID-18060
Type zdt
Reporter Benjamin K.M.
Modified 2012-04-14T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            Title:
======
EmbryoCore CMS v1.03 - Multiple Web Vulnerabilities

Introduction:
=============
EmbryoCore is a blog / content management system written using PHP5 s newest features. Highly
customizable, XHTML:Strict compliant, with full integration of jQuery for dynamic ajax-powered content.

Completely XHTML Strict compliant
Pure CSS layouts
Drag and drop interface for moving content around
Static page and article entry for non-blog content
Ajax comments system
Ajax multi-page articles
Ajax file manager with upload and auto-thumbnailing for images
Ajax gallery system
Post priviledges - every post can be configured to be seen by only guests, administrators, members etc
Ratings and comments can be enabled or disabled on a per post basis
Spam protection - configurable time-outs for disallowing posts within a certain time from visiting site and
from last post made etc, also online post checking with TypePad AntiSpam
Advanced theme templating system means you can change the look of your site with a single click, and
building new themes is simplicity itself
WYSIWYG editor for simple content entry
Full categorization with sub-categories
Cross blog communication with built in pingback
Syndication with dynamic RSS creation for posts, comments etc
Search engine friendly URL s
Cache system reduces server load and speeds up page loads
Automatic updating from the admin area
Automatic installation of themes, plugins etc, no FTP access required

Fully object orientated code
Fully event driven
Takes full advantage of PHP5 s new features
Full integration with jQuery, including popular plugins like Shadowbox
Uses PHP5 s inbuilt PDO (PHP Data Objects) class, and the powerful abstraction layer means building queries is a
breeze
Create as many sub-sites as you want from your admin area, all running off the same core code

(Copy of the Vendor Homepage: http://embryocore.sourceforge.net/ )


Abstract:
=========
The Vulnerability Laboratory Researcher Team discovered multiple Web Vulnerabilities in EmbryoCore v1.03.

Details:
========
1.1
A remote SQL Injection vulnerability (POST) is detected in EmbryoCore v1.03 content management system.
The vulnerability allows an attacker (remote) or local low privileged user account to inject/execute own sql commands
on the affected application dbms. Successful exploitation of the vulnerability results in dbms & application
compromise.
The vulnerability is located on the username post method.

Vulnerable Module(s):
[+] Add User or Register User Request (POST) [embryocore/index.php?event=admin:auser]


--- SQL Exception Logs ---
<div style=``display: none; opacity: 1;`` id=``kmessage`` class=``no-display``><img src=``
content/themes/admin/images/apply.png`` alt=``> <strong>EmbryoCore Fatal Database error:</strong>
[42000]:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server
version for the right syntax to use near ``=> ``></div>

1.2
A persistent input validation vulnerability is detected in the EmbryoCore v1.03 web application.
The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent).
Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent)
context manipulation. Exploitation requires low user inter action because the admin needs to watch the user list.
The user includes his scriptcode as profile name and the code is getting executed on the administrator section
persistent.


Vulnerable Module(s):
[+] Profil & Username Input Field
[-] Admin Control Panel - User Listing 

Proof of Concept:
=================
The sql injection vulnerability can be exploited by remote attackers without inter action or local low
privileged user accounts. For demonstration or reproduce ...


1.1
To inject the sql command implement your statement on the user input fields and send it with the request (POST Method).
The return will be the error or successful query of the application dbms.

POST: /embryocore/index.php?ajax=admin:auser&mode=createNewUser HTTP/1.1
POC: user_displayname=[SQL-INJECTION]&user_login=test2&user_email=m () dot
empire&user_password=123456&user_cpassword=hack4best


1.2
The persistent input validation vulnerability can be exploited by remote attackers without inter action
or local low privileged
user accounts. Successful exploitation requires low user inter action because the admin only have to review the user
listing.
For demonstration or reproduce ...

User Listing PoC:
<tr><td style="width: 1%; vertical-align: top;"><img
src="http://www.gravatar.com/avatar.php?gravatar_id=
56f8d37b176ad6e9dc45e7923d1296ce&default=http%3A%2F%2Fxxx.com%2Fembryocore%2Flibs%2F
modules%2Ftemplate%2Fimages%2Fdefault_gravatar.png" alt="gravatar" style="width:
45px;">​​​​​</td><td style="
width: 15%; vertical-align: top;"><div
class="list-title"><strong>-2</strong></div>"><iframe src="
http://www.vulnerability-lab.com"; width"500"="" height="500"><br
/>91.37.89.26</td><td style='
width: 20%; vertical-align: top;'>Joined:<br />Monday 09th April 2012, 04:33am</td><td
style='width: 20%; vertical-align: top;'>Last Visit:<br />-</td><td style='width: 20%;
vertical-align: top;'>Last Post:<br />-</td><td style='width: 2%; vertical-align: top;
text-align: right;'><img src='http://xxx.com/embryocore/content/themes/admin/images/comment.png'
alt='comments' title='comments' /> 0</td></tr>
<tr>



#  0day.today [2018-03-19]  #