OpenSchool Community Edition 2.2 XSS / Access Bypass

2015.01.27
Credit: Mahendra
Risk: High
Local: No
Remote: Yes
CWE: CWE-79

# Exploit Title: OpenSchool Community Edition (version 2.2) Multiple Vulnerabilities # Date: 25 January 2015 # Exploit Author: Mahendra # Vendor Homepage: www.open-school.org # Software Link: http://sourceforge.net/projects/fiyo-cms/ # Full version demo: http://www.tryopenschool.com # Version: 2.2 # Tested : Kali Linux 1.0.9a-amd64 # CVE(s): CVE-2014-9126, 2014-9127 *Advisory Timeline* 13 November 2014: Vulnerabilities reported to vendor 14 November 2014: Vendor responded and details provided 14 November 2014: Vendor acknowledged the vulnerabilities 17 November 2014: Vendor fixed the vulnerabilities, except for XSS in CSRF tokens. 25 January 2015: Advisory released ---------------------------------------------------- Stored XSS - 2014-9126 ---------------------------------------------------- *Proof of Concept (PoC)* ? Affected page: /index.php?r=students/studentDocument/create Affected parameter: StudentDocument[title][] Step to reproduce: 1. Login as admin and select one of the students profile. 2. In the profile page, select Documents and upload a new document. 3. Name the document file as <script>alert(1)</script> 4. The file will be saved and when the page is refreshed, the malicious javascript will be executed. ? Affected page: /index.php?r=students/studentCategory/ajax_create Affected parameter: StudentCategories%5Bname%5D Step to reproduce: 1. Login as admin > go to Students > Manage Student Categories > Create New Category 2. Insert the malicious javascript <script>alert(1)</script> into the category name. 3. Saved the category and observed the malicious script is executed. ? Affected page: index.php?r=students/studentPreviousDatas/create&id=1 Affected parameters: o StudentPreviousDatas%5Bcourse%5D o StudentPreviousDatas%5Binstitution%5D o StudentPreviousDatas%5Btotal_mark%5D o StudentPreviousDatas%5Byear%5D ---------------------------------------------------- Reflected XSS - 2014-9126 ---------------------------------------------------- ? Affected parameters: YII_CSRF_TOKEN cookie in the HTTP Header Step to reproduce: added the malicious javascript </script><script>alert(1)</script> in the YII_CSRF_TOKEN cookie header. http://192.168.248.129/osv2.2-CE/index.php?r=students/studentCategory&6b76b'-"</script><script>alert(1)</script>-'a29af=1 http://192.168.248.129/osv2.2-CE/index.php?r=site/emanage&ename=&employeenumber=ccd51<script>alert(1)<%2fscript>d5927&Employees%5Bemployee_department_id%5D=&widget=&val= http://192.168.248.129/osv2.2-CE/index.php?r=site/emanage&ename=daa4c<script>alert(1)<%2fscript>97ab5&employeenumber=&Employees%5Bemployee_department_id%5D=&widget=&val= --------------------------------------------------------------------------------------------- Access control bypass from student portal to access administration interface - CVE-2014-9127 --------------------------------------------------------------------------------------------- The application only allows the admin user to export students and employee database which contain personal information such as address and email address. Any students that have access to student portal can bypass the access control by directly visiting the export link. This functionality was not available in community edition and was tested on the demo version provided by Open-School team. Proof of concept: 1. Login to student portal as students 2. Go to http://tryopenschool.com/index.php?r=export 3. Observe the export function is now accessible to students


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top