Friday, December 27, 2013

HTB23186: MijoSearch Joomla Extension - XSS and Full Path Disclosure

MijoSearch Joomla Extension High-Tech Bridge Security Research Lab discovered 2 vulnerabilities in MijoSearch Joomla Extension version 2.0.1, which can be exploited to gain access to potentially sensitive data and perform Cross-Site Scripting (XSS) attacks against users of vulnerable application.

Cross-site Scripting vulnerability in MijoSearch exists due to insufficient sanitisation of user-supplied data appended to "/component/mijosearch/search" URL. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

Information Exposure Through Externally-generated Error Message vulnerability in MijoSearch exists due to improper implementation of error handling mechanisms in "/component/mijosearch/search" URL. A remote attacker can send a specially crafted HTTP GET request to the vulnerable web application and gain knowledge of full installation path of the application.

Read full details at High-Tech Bridge Advisory HTB23186: Multiple Vulnerabilities in MijoSearch.

Posted by at No comments:
Labels:

Thursday, December 12, 2013

HTB23183: Bitrix Site Manager - User Identity Spoofing - CWE-345

Bitrix Site Manager High-Tech Bridge Security Research Lab discovered vulnerability in Bitrix Site Manager version 12.5.13, which can be exploited to spoof user's identity and read, modify or delete pre-ordered items in customer's basket.

User Identity Spoofing vulnerability (CWE-345) in Bitrix Site Manager version 12.5.13 exists due to insufficient verification of supplied data authenticity when displaying pre-order items in customer's basket in the e-Store Module of Bitrix Site Manager. A remote unauthenticated user can change "BITRIX_SM_SALE_UID" cookie, view another user's basket and perform certain actions, e.g. add or delete items in the basket. The e-Store Module must be installed on the system and knowledge of a valid "BITRIX_SM_SALE_UID" cookie is required. This value can be easily guessed using simple brute-force techniques, since the application increases its value by 1 with every new customer.

Below are exploitation instructions for this vulnerability. You will need to open two different browsers with plugins that allow cookie management.

  1. Open your first browser
  2. Visit the following URL http://[host]/buy/cms.php and add items to the basket.
  3. You will be redirected to the following URL: http://[host]/personal/cart.php
  4. Record your "BITRIX_SM_SALE_UID" cookie value.
  5. Open your second browser and navigate to the following URL: http://[host]/personal/cart.php
  6. Change the value of your "BITRIX_SM_SALE_UID" cookie to the one you recorded before and delete all other cookies.
  7. Refresh the page http://[host]/personal/cart.php. You will see pre-ordered items of another user.

Solution: Update "sale" module to version 14.0.1

More Information: www.bitrixsoft.com/products/cms/versions.php?module=sale

Posted by at No comments:
Labels:

HTB23185: SQL Injection in InstantCMS

InstantCMS

High-Tech Bridge Security Research Lab discovered blind SQL injection vulnerability in InstantCMS version 1.10.3, which can be exploited to perform SQL Injection attacks, alter SQL requests and compromise vulnerable application.

SQL Injection vulnerability in InstantCMS exists due to insufficient filtration of "orderby" HTTP POST parameter passed to "/catalog/[id]" URL. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database. Simple exploit code in advisory uses blind SQL injection exploitation technique.

Solution: Apply patch for InstantCMS 1.10.3
InstantCMS 1.10.3 downloaded after November 21, 2013 is patched [without version/release modification] and is not vulnerable for this vulnerability.

Posted by at No comments:
Labels:

Friday, December 6, 2013

HTB23184: Cross-Site Scripting (XSS) in Jamroom

Jamroom Jamroom, social media platform, version 5.0.2 is vulnerable to perform cross-site scripting (XSS) attacks. Details are disclosed by High-Tech Bridge Security Research Lab.

The XSS vulnerability exists due to insufficient sanitisation of user-supplied data in "search_string" HTTP POST parameter passed to URLs like "/search/results/all/1/4". A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

The exploitation example below uses the JavaScript "alert()" function to display "immuniweb" word:
<form action="http://[host]/search/results/all/1/4" method="post" name="main">
<input type="hidden" name="search_string" value='" onmouseover="javascript:alert("immuniweb");'>
<input type="submit" id="btn">
</form>

Solution: Update Jamroom Search module to version 1.1.1.

Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)