KWSPHP CMS v1.6.995 - Persistent Cross Site Vulnerability

Technical Details & Description:
================================
A persistent cross site scripting web vulnerability has been discoverd in the official KWSPHP v1.6.995 content management system.
The security issue allows remote attackers to inject own malicious script codes on the application-side of the affected service module.

The vulnerability is located in the `sql_contact_pseudo` parameter of the `index.php` file within the contact module. Remote attackers and 
low privileged web-application user accounts are able to inject own malicious script code context as `contact pseudonym` value of the 
index.php file POST method request. The injection point is the vulnerable contact formular and the execution occurs in the same formular 
context after the submit POST method request is perfomed. Not only the form itself is wrong encoded, the email that is get send to the 
contact will be encoded as html which results in a second point of execution. The main issue occurs in the contact formular itself.

The security risk of the persistent validation vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.5. 
Exploitation of the persistent input validation web vulnerability requires no privileged web-application user account and low or medium user interaction. 
Successful exploitation of the vulnerability results in session hijacking, persistent phishing, persistent external redirects to malicious source and 
persistent manipulation of affected or connected application modules.

Request Method(s):
				[+] POST

Vulnerable Module(s):
				[+] Contact Formular

Vulnerable File(s):
				[+] index.php

Vulnerable Parameter(s):
				[+] sql_contact_pseudo

Affected Module(s):
				[+] Contact Formular
				[+] Email Notify


Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by remote attackers without privileged user account and with low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

--- PoC Session Logs [POST] ---
Host: http://localhost:8080/
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: http://localost/index.php?mod=contact
Cookie: PHPSESSID=24dbc6ca1f342ab46690fe39b20ba4b2
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 241 test

[+] Method POST [+] 
sql_contact_pseudo=[SCRIPT CODE INJECTION!]&sql_contact_email=test%40live.fr&sql_contact_objet=d&
texte=%3Cp%3Ec%3C%2Fp%3E&contact_copie=non&code_secu=&xss_retour=.%2Findex.php%3Fmod%3Dcontact&contact_envoyer=+Envoyer+


Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the vulnerable `sql_contact_pseudo` parameter of the index.php file.
Restrict the parameter and input field inputs by disallowing the usage of special chars or script code tags.
Encode the vulnerable output location with a secure mechanism and filter the entries. Implement a secure exception to prevent further persistent injection attacks.


Domain:     www.zwx.fr
Contact:    [email protected]	
Social:     twitter.com/XSSed.fr
Feeds:      www.zwx.fr/feed/
Advisory:   www.vulnerability-lab.com/show.php?user=ZwX
            packetstormsecurity.com/files/author/12026/
            cxsecurity.com/search/author/DESC/AND/FIND/0/10/ZwX/
            0day.today/author/27461

#  0day.today [2018-03-20]  #