CiviCRM 3.1 Beta 1 cross site scripting

2010.01.18
Credit: h00die
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: CiviCRM 3.1 < Beta 5 Multiple XSS Vulnerabilities # Date: Dec 10 2009 # Author: h00die (mcyr2@csc.com) & Ch3nz (vpierorazio@csc.com) # Software Link: http://sourceforge.net/projects/civicrm/files/civicrm-latest/3.1.beta1/civicrm-3.1.beta1-standalone.tar.gz/download # Version: 3.1 Beta 1 # Tested on: BT4 pre-final # Greetz to muts and loganWHD # http://www.offensive-security.com/offsec101.php turning script kiddies into ninjas daily #Timeline #Discovery Date: Dec 9 2009 #Vendor Notification: Dec 31 2009 #Vendor Patch: Jan 13, 2010. Update to Beta 5 with fixes, also patch for Beta 4 released. #Public Disclosure: Jan 13, 2010 #Background: Separated XSS Injection ######################################################### CiviCRM uses a fairly complex filtering system to try to prevent attacks, yet still have the highest level of flexibility. One of those filters prevents <script> and </script> from being in the same input box. In several cases it is possible to use multiple input boxes that get displayed later either together or close enough that it is possible to inject the 1st half of the code in the first box with a trailing comment, then inject the end comment and end script in the second box. We call this Separated XSS Injection. For instance, you have input box 1, and input box 2. It is not possible to get by the IDS in the software by injecting <script>alert(1);</script> into either of those boxes. When the content is later displayed it is displayed in a table consisting of: Input box 1, ID# (auto generated), Input box 2. By injecting <script>alert(1);// into input box 1, and //--></script> into input box 2 the content in the table then becomes: <script>alert(1);// </td><td>ID#</td><td> //--></script>. This script is now executable even though it was split and injected into different areas. ######################################################### #Vulnerable injection points ######################################################### 1. Tags 1a. HTML injection in both the Name and Description fields. 1b. Separated XSS Injection using the Name and Description input boxes. When the data is displayed, there is an ID field between the two items, so in order to inject data but still have it look correctly try this: Name: Tag<script>alert(1);// Description: //--></script></td><td>1</td><td>Description</td> Keep in mind Name has ~64 char limit, Description is a 255 character limit 2. Groups 2a. HTML injection in both the Name and Description fields. 2b. Separated XSS Injection using the Name and Description input boxes. When the data is displayed, there is an ID field between the two items, so in order to inject data but still have it look correctly try this: Name: Group<script>alert(1);// Description: //--></script></td><td>1</td><td>Description</td> Keep in mind Name has ~64 char limit. ***Also, since this data gets displayed in the Recent Items column on the left, it will break the interface. It also breaks the Settings page for the group, so this data can not be altered once input w/o editing the DB by hand*** 3. Contributions 3a. Source Notes, and Transaction ID are HTML injectable 3b. Separated XSS Injection using the Honoree First Name and Last Name input boxes. When the data is displayed, there are no fields between the two items, so this is a safer injection point, but the xss does not display unless the user views the individual contribution. Safe Injection Data: First Name: Matt<script>alert(1); Last Name: </script> Smith This attack also creates the Honoree as a person element in the system, so attacks are further reaching 3c. The Honoree First/Last Name fields have a length bug. When inserting a user to the system there is a 64 character limit on First/Last Names. When inserting an honoree's First/Last name, there is no control on that. The data is then inserted into the Database as is, and when the data is displayed, it is SHOWN at 64 characters even though all the characters are actually valid. What does this mean? Lets look back at 3b, we can now do the following First Name: 1234567890123456789012345678901234567890123456789012345678901234<script>alert('xss attack'); Last Name: </script> LastName Now when we view the contact's Details (for 1234...), and try to Edit the data the <script>alert('xss attack'); part is not displayed. This could be a good method of hiding the attack a little better. 4. Address Field 4a. Separated XSS Injection using the Addt'l Address 1 and Addt'l Address 2 input boxes. When the data is displayed, there is a </span><br /> between the two items, so in order to inject data we must comment out that part like so: Addt'l Address 1: <script>alert('xss');// Addt'l Address 2: //--></script> Keep in mind each address field has a ~96 char limit. #########################################################


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top