Incomedia WebSite X5 Evolution <= 9.0.4.1748 XSS & Auth bypass

2012.11.25
Credit: AkaStep
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

========================================= Vulnerable Software: Incomedia WebSite X5 Evolution <= 9.0.4.1748 (All versions) Vendor: www.websitex5.com Vulns: XSS && Auth Bypass Software License: Commercial Dork 1: inurl:imsearch.php Dork 2: intitle:WebSite X5 Manager inurl:/admin/header.php ========================================= About Software: ========================================== WebSite X5 Evolution 9 is the most versatile and complete solution you'll find for creating eye-catching, functional and professional websites, blogs and online stores. You'll be surprised at how easy WebSite X5 Evolution 9 is to use, but what is perhaps most amazing is the sheer power and totality of the features it offers. http://www.websitex5.com/en/evolution-9.html *Nice Software and easy to use.* ========================================== About Vulnerabilities: [*] XSS: [*] site.tld/imsearch.php?search="\><script>alert(1);</script> Fix: Open imsearch.php and find: =============VULNERABLE CODE============== <?php $search = new imSearch(); $search->search(@$_GET['search'], @$_GET['page']); ?> ==========END OF VULNERABLE CODE========== REPLACE WITH: ==============FIXED CODE==================== <?php $search = new imSearch(); $search->search(@htmlspecialchars($_GET['search']), htmlspecialchars(@$_GET['page'])); ?> ===========END OF FIXED CODE================ [*] Second vulnerability is Authentication Bypass. [*] Vulnerable code: site.tld/admin/checkaccess.php ========= BEGIN VULNERABLE CODE =========== <?php require_once("../res/x5engine.php"); $login = new imPrivateArea(); if ($login->checkAccess("admin/" . basename($_SERVER['PHP_SELF'])) !== 0) { if (basename($_SERVER['HTTP_REFERER']) == "login.php") header("Location: login.php?error"); else header("Location: login.php"); } else $logged = TRUE; // End of file checkaccess.php ==========END OF VULNERABLE CODE========== Notice flaw: Script continues execution. For reproduce: =============================================== Using Fiddler intercept the traffic from your browser and you will get output from scripts execution. Print screen: http://oi47.tinypic.com/f21sf7.jpg ==================== RAW======================= HTTP/1.1 302 Found Date: Sun, 25 Nov 2012 01:13:19 GMT Server: Apache Set-Cookie: ASPX=pfsnkn5ccps9u15pa0r4of6lodesg6lq; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Location: login.php Content-Length: 1188 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="it" lang="it" dir="ltr"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta http-equiv="Content-Language" content="it" /> <meta http-equiv="Content-Type-Script" content="text/javascript" /> <meta http-equiv="ImageToolbar" content="False" /> <meta name="MSSmartTagsPreventParsing" content="True" /> <script type="text/javascript" src="../res/jquery.js"></script> <script type="text/javascript" src="../res/x5engine.js"></script> <link rel="stylesheet" type="text/css" href="template.css" media="screen" /> <title>WebSite X5 Manager</title> </head> <body> <div id="imAdminPage"> <div id="imBody"> <div class="imSectionTitle"></div> <div class="imContent"> <div class="imTest pass">&#1042;&#1077;&#1088;&#1089;&#1080;&#1103; PHP: 5.2.17<span>PASS</span></div> <div class="imTest pass">&#1055;&#1086;&#1076;&#1076;&#1077;&#1088;&#1078;&#1082;&#1072; &#1089;&#1077;&#1089;&#1089;&#1080;&#1080;<span>PASS</span></div> <div class="imTest pass">&#1055;&#1091;&#1090;&#1100; &#1082; &#1087;&#1091;&#1073;&#1083;&#1080;&#1095;&#1085;&#1086;&#1081; &#1087;&#1072;&#1087;&#1082;&#1077; &#1085;&#1072; &#1089;&#1077;&#1088;&#1074;&#1077;&#1088;&#1077;<span>PASS</span></div> </div> </div> </div> </body> ===============EOF RAW================== If your checkaccess.php isn't patched every file on /admin/*.php is vulnerable. Fixed Code: site.tld/admin/checkaccess.php ==============BEGIN =FIXED CODE================= <?php require_once("../res/x5engine.php"); $login = new imPrivateArea(); if ($login->checkAccess("admin/" . basename($_SERVER['PHP_SELF'])) !== 0) { if (basename($_SERVER['HTTP_REFERER']) == "login.php") { header("Location: login.php?error"); exit; } else { header("Location: login.php"); exit; } } else { $logged = TRUE; } // End of file checkaccess.php ===============END OF FIXED CODE================ **Vendor notified about this advisory.** ================================================ SHOUTZ+RESPECTS+GREAT THANKS TO ALL MY FRIENDS: ================================================ packetstormsecurity.org packetstormsecurity.com packetstormsecurity.net securityfocus.com cxsecurity.com security.nnov.ru securtiyvulns.com securitylab.ru secunia.com securityhome.eu exploitsdownload.com exploit-db.com osvdb.com websecurity.com.ua to all Aa Team + to all Azerbaijan Black HatZ + *Especially to my bro CAMOUFL4G3 * To All Turkish Hackers Also special thanks to: ottoman38 & HERO_AZE ================================================ /AkaStep

References:

http://www.websitex5.com/en/evolution-9.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top