Microweber v1.0.3 Stored XSS And CSRF Add Admin Exploit

2015-08-04T00:00:00
ID ZSL-2015-5249
Type zeroscience
Reporter Gjoko Krstic
Modified 2015-08-04T00:00:00

Description

Title: Microweber v1.0.3 Stored XSS And CSRF Add Admin Exploit
Advisory ID: ZSL-2015-5249
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 04.08.2015

Summary

Microweber is an open source drag and drop PHP/Laravel CMS licensed under Apache License, Version 2.0 which allows you to create your own website, blog or online shop.

Description

The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Stored cross-site scripting vulnerabilitity is also discovered. The issue is triggered when input passed via the POST parameter 'option_value' is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Vendor

Microweber Team - <http://www.microweber.com>

Affected Version

1.0.3

Tested On

Apache 2.4.10 (Win32)
PHP 5.6.3
MySQL 5.6.21

Vendor Status

[12.07.2015] Vulnerability discovered.
[12.07.2015] Initial contact with the vendor.
[13.07.2015] Vendor responds asking more details.
[13.07.2015] Sent details to the vendor.
[13.07.2015] Vendor replies with confirmation of the issue developing fixed version 1.0.4.
[04.08.2015] Vendor releases official new version (1.0.4).
[04.08.2015] Coordinated public security advisory released.

PoC

microweber_csrf.html

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <https://github.com/microweber/microweber/blob/master/CHANGELOG.md>
[2] <https://microweber.com/list-of-contributors>
[3] <http://cxsecurity.com/issue/WLB-2015080028>
[4] <https://www.exploit-db.com/exploits/37734/>
[5] <https://packetstormsecurity.com/files/132969>
[6] <https://exchange.xforce.ibmcloud.com/vulnerabilities/105433>

Changelog

[04.08.2015] - Initial release
[09.08.2015] - Added reference [4] and [5]
[13.08.2015] - Added reference [6]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            &lt;html&gt;&lt;head&gt;&lt;title&gt;403 Nothing to see.&lt;/title&gt;
&lt;link rel="Shortcut Icon" href="favicon.ico" type="image/x-icon"&gt;
&lt;style type="text/css"&gt;
&lt;!--
body {
	background-color: #000;
}
body,td,th {
	font-family: Verdana, Geneva, sans-serif;
}
a:link {
	color: #008FEF;
	text-decoration: none;
}
a:visited {
	color: #008FEF;
	text-decoration: none;
}
a:hover {
	text-decoration: underline;
	color: #666;
}
a:active {
	text-decoration: none;
}
--&gt;
&lt;/style&gt;
&lt;/head&gt;
&lt;body bgcolor=black&gt;
&lt;center&gt;
&lt;font color="#7E88A3" size="2"&gt;
&lt;br /&gt;&lt;br /&gt;
&lt;h1&gt;403 Nothing to see.&lt;/h1&gt;

You do not have the powah for this request /403.shtml&lt;br /&gt;&lt;br /&gt;
&lt;font size="2"&gt;&lt;a href="https://www.zeroscience.mk"&gt;https://www.zeroscience.mk&lt;/a&gt;&lt;/font&gt;
&lt;/font&gt;&lt;/center&gt;
&lt;/body&gt;&lt;/html&gt;