HTB23186: MijoSearch Joomla Extension - XSS and Full Path Disclosure

High-Tech Bridge Security Research Lab discovered 2 vulnerabilities in MijoSearch Joomla Extension version 2.0.1, which can be exploited to gain access to potentially sensitive data and perform Cross-Site Scripting (XSS) attacks against users of vulnerable application.

Cross-site Scripting vulnerability in MijoSearch exists due to insufficient sanitisation of user-supplied data appended to "/component/mijosearch/search" URL. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

Information Exposure Through Externally-generated Error Message vulnerability in MijoSearch exists due to improper implementation of error handling mechanisms in "/component/mijosearch/search" URL. A remote attacker can send a specially crafted HTTP GET request to the vulnerable web application and gain knowledge of full installation path of the application.

Read full details at High-Tech Bridge Advisory HTB23186: Multiple Vulnerabilities in MijoSearch.

HTB23183: Bitrix Site Manager - User Identity Spoofing - CWE-345

High-Tech Bridge Security Research Lab discovered vulnerability in Bitrix Site Manager version 12.5.13, which can be exploited to spoof user's identity and read, modify or delete pre-ordered items in customer's basket.

User Identity Spoofing vulnerability (CWE-345) in Bitrix Site Manager version 12.5.13 exists due to insufficient verification of supplied data authenticity when displaying pre-order items in customer's basket in the e-Store Module of Bitrix Site Manager. A remote unauthenticated user can change "BITRIX_SM_SALE_UID" cookie, view another user's basket and perform certain actions, e.g. add or delete items in the basket. The e-Store Module must be installed on the system and knowledge of a valid "BITRIX_SM_SALE_UID" cookie is required. This value can be easily guessed using simple brute-force techniques, since the application increases its value by 1 with every new customer.

Below are exploitation instructions for this vulnerability. You will need to open two different browsers with plugins that allow cookie management.

1. Open your first browser
2. Visit the following URL http://[host]/buy/cms.php and add items to the basket.
3. You will be redirected to the following URL: http://[host]/personal/cart.php
4. Record your "BITRIX_SM_SALE_UID" cookie value.
5. Open your second browser and navigate to the following URL: http://[host]/personal/cart.php
6. Change the value of your "BITRIX_SM_SALE_UID" cookie to the one you recorded before and delete all other cookies.
7. Refresh the page http://[host]/personal/cart.php. You will see pre-ordered items of another user.

Solution: Update "sale" module to version 14.0.1

More Information: www.bitrixsoft.com/products/cms/versions.php?module=sale

HTB23185: SQL Injection in InstantCMS

High-Tech Bridge Security Research Lab discovered blind SQL injection vulnerability in InstantCMS version 1.10.3, which can be exploited to perform SQL Injection attacks, alter SQL requests and compromise vulnerable application.

SQL Injection vulnerability in InstantCMS exists due to insufficient filtration of "orderby" HTTP POST parameter passed to "/catalog/[id]" URL. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database. Simple exploit code in advisory uses blind SQL injection exploitation technique.

Solution: Apply patch for InstantCMS 1.10.3
InstantCMS 1.10.3 downloaded after November 21, 2013 is patched [without version/release modification] and is not vulnerable for this vulnerability.

HTB23184: Cross-Site Scripting (XSS) in Jamroom

Jamroom, social media platform, version 5.0.2 is vulnerable to perform cross-site scripting (XSS) attacks. Details are disclosed by High-Tech Bridge Security Research Lab.

The XSS vulnerability exists due to insufficient sanitisation of user-supplied data in "search_string" HTTP POST parameter passed to URLs like "/search/results/all/1/4". A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

The exploitation example below uses the JavaScript "alert()" function to display "immuniweb" word:
<form action="http://[host]/search/results/all/1/4" method="post" name="main">
<input type="hidden" name="search_string" value='" onmouseover="javascript:alert("immuniweb");'>
<input type="submit" id="btn">
</form>


Solution: Update Jamroom Search module to version 1.1.1.

HTB23179: Claroline 1.11.8 multiple cross-site scripting (XSS)

High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Claroline version 1.11.8, which can be exploited to perform Cross-Site Scripting (XSS) attacks against vulnerable web application visitors and administrators.

Cross-Site Scripting (XSS) in Claroline: CVE-2013-6267
1.1 The vulnerability exists due to insufficient sanitisation of user-supplied data in "box" HTTP GET parameter passed to "/claroline/messaging/messagebox.php" script. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. The exploitation example below uses the "alert()" JavaScript function to display "ImmuniWeb" word:
http://[host]/claroline/messaging/messagebox.php?box=%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C /script%3E

1.2 The vulnerability exists due to insufficient filtration of user-supplied data in "cidToEdit" HTTP GET parameter passed to "/claroline/admin/adminregisteruser.php" script. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. The exploitation example below uses the "alert()" JavaScript function to display "immuniweb" word:
http://[host]/claroline/admin/adminregisteruser.php?cidToEdit=94102_001%22%3E%3Cscript%3Ealert%28%27 imuniweb%27%29;%3C/script%3E

1.3 The vulnerability exists due to insufficient sanitisation of user-supplied data in "cidToEdit" HTTP GET parameter passed to "/claroline/admin/admin_user_course_settings.php" script. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. The exploitation example below uses the "alert()" JavaScript function to display "immuniweb" word:
http://[host]/claroline/admin/admin_user_course_settings.php?ccfrom=culist&cidToEdit=94102%22%3E%3Cs cript%3Ealert%28%27imuniweb%27%29;%3C/script%3E&uidToEdit=1

1.4 The vulnerability exists due to insufficient sanitisation of user-supplied data in "module_id" HTTP GET parameter passed to "/claroline/admin/module/module.php" script. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. The exploitation example below uses the "alert()" JavaScript function to display "immuniweb" word:
http://[host]/claroline/admin/module/module.php?module_id=4%22%3E%3Cscript%3Ealert%28%27imuniweb%27% 29;%3C/script%3E

1.5 The vulnerability exists due to insufficient sanitisation of user-supplied data in "offset" HTTP GET parameter passed to "/claroline/admin/right/profile_list.php" script. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. The exploitation example below uses the "alert()" JavaScript function to display "immuniweb" word:
http://[host]/claroline/admin/right/profile_list.php?cmd=exLock&offset=0%22%3E%3Cscript%3Ealert%28%2 7imuniweb%27%29;%3C/script%3E

Solution: Update to Claroline 1.11.9

References:

1. High-Tech Bridge Advisory HTB23179 - Multiple Cross-Site Scripting (XSS) in Claroline.
2. Claroline - Claroline is an Open Source software to easily deploy a platform for learning and collaboration online.

HTB23181: SQL Injection in Dokeos

High-Tech Bridge Security Research Lab discovered vulnerability in Dokeos version 2.2RC, which can be exploited to perform SQL Injection attacks.

SQL Injection in Dokeos 2.2RC: CVE-2013-6341
The vulnerability exists due to insufficient validation of "language" HTTP GET parameter passed to "/index.php" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database and gain complete control over the vulnerable web application.

The following exploitation example displays version of MySQL server:

http://[host]/index.php?language=0%27%20UNION%20SELECT%201,2,3,4,version%28%29,6,7,8%20--%202

Solution: Unofficial patch was developed by High-Tech Bridge Security Research Lab and is available here: https://www.htbridge.com/advisory/HTB23181-patch.zip

References:

1. High-Tech Bridge Advisory HTB23181 - SQL Injection in Dokeos.
2. Dokeos - the flexible, enterprise-ready e-learning software.

HTB23182: Chamilo LMS SQL injection SQLi

Chamilo LMS version 1.9.6 is vulnerable to perform SQL injection attacks, discovered by High-Tech Bridge Security Research Lab.

Chamilo LMS - Chamilo aims at bringing you the best e-learning and collaboration platform in the open source world.

SQL Injection vulnerability in Chamilo LMS exists due to insufficient validation of "password0" HTTP POST parameter passed to "/main/auth/profile.php" script. A remote authenticated attacker can execute arbitrary SQL commands in application's database. Exploitation example in advisory HTB23182 - SQL Injection in Chamilo LMS displays version of MySQL server. Successful exploitation of this vulnerability requires that the application is configured during installation not to encrypt users' passwords ("Encryption method" option is set to "none").

Solution: Edit the source code and apply changes according to vendor's instructions.