扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 |
Security Advisory - Curesec Research Team 1. Introduction Affected Product:Kajona 4.7 Fixed in:5.0 Fixed Version Link:https://www.kajona.de/en/Downloads/downloads.get_kajona.html Vendor Website:https://www.kajona.de/ Vulnerability Type:XSS & Directory Traversal Remote Exploitable:Yes Reported to vendor:04/11/2016 Disclosed to public: 09/15/2016 Release mode:Coordinated Release CVE: n/a CreditsTim Coen of Curesec GmbH 2. Overview Kajona is an open source CMS written in PHP. In version 4.7, it is vulnerable to multiple XSS attacks and limited directory traversal. The XSS vulnerabilities are reflected as well as persistent, and can lead to the stealing of cookies, injection of keyloggers, or the bypassing of CSRF protection. The directory traversal issue gives information about which files exist on a system, and thus allows an attacker to gather information about a system. 3. Details XSS 1: Reflected XSS CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N The function that parses admin requests echoes user input into a JavaScript context without escaping, leading to reflected XSS. As the injection takes place into a JavaScript context, browser filters will generally not be able to filter out an attack. In the case of Kajona, XSS may lead to code execution, as admins can upload PHP files via the media manager. Proof of Concept: http://localhost/kajona/index.php?admin=1&module=search&action=search&peClose=1&peRefreshPage=';alert(1);foo=' Code: core/module_system/system/class_request_dispatcher.php $strReturn = "<html><head></head><body onload=\"parent.location = '" . urldecode(getGet("peRefreshPage")) . "';\"></body></html>"; XSS 2: Reflected XSS CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N The media manager echoes the form_element parameter into a JavaScript context without escaping, leading to reflected XSS. As the injection takes place into a JavaScript context, browser filters will generally not be able to filter out an attack. Note that a valid systemid id is required. Proof of Concept: http://localhost/kajona/index.php?admin=1&module=mediamanager&action=folderContentFolderviewMode&systemid=[VALID_SYSTEM_ID]&form_element=']]);alert(1);KAJONA.admin.folderview.selectCallback([['# Click on "Accept" overlay of an image to trigger the injected code. XSS 3: Reflected XSS CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N The "class_messageprovider_exceptions_enabled" parameter of the xml.php script is vulnerable to reflected XSS. Proof of Concept: http://localhost/kajona/xml.php?admin=1&module=messaging&action=saveConfigAjax&systemid=&class_messageprovider_exceptions_enabled=false<a xmlns%3aa%3d'http%3a%2f%2fwww.w3.org%2f1999%2fxhtml'><a%3abody onload%3d'alert(1)'%2f><%2fa>&messageprovidertype=class_messageprovider_exceptions XSS 4: Persistent XSS CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N When creating a comment, the subject is vulnerable to persistent XSS. The click of an admin is required to execute the injected JavaScript code. Proof of Concept: 1. Leave a comment: http://localhost/kajona/index.php?page=postacomment 2. As subject, use: ');alert('1 3. Visit the comment overview: http://localhost/kajona/index.php?admin=1&module=postacomment&action=list 4. Click edit on the comment 5. Click on "Edit Tags" (the second symbol from the right) Directory Traversal When viewing images, the file name is improperly sanitized, allowing for directory traversal. It is not possible to actually read out files, as there are additional checks in place preventing that. But an unauthenticated attacker can still see which files exist on a system and which do not, making it possible to collect information for further attacks. Proof of Concept: GET /kajona/image.php?image=/files/images/upload/....//....//....//download.php&maxWidth=20&maxHeight=2 HTTP/1.1 -> 200 (but not shown) GET /kajona/image.php?image=/files/images/upload/....//....//....//foobar.php&maxWidth=20&maxHeight=2 HTTP/1.1 -> 404 Code: core/module_system/image.php public function __construct() { //find the params to use $this->strFilename = urldecode(getGet("image")); //avoid directory traversing $this->strFilename = str_replace("../", "", $this->strFilename); [...] } [...] private function resizeImage() { //Load the image-dimensions if(is_file(_realpath_ . $this->strFilename) && (uniStrpos($this->strFilename, "/files") !== false || uniStrpos($this->strFilename, "/templates") !== false)) { [...] } class_response_object::getInstance()->setStrStatusCode(class_http_statuscodes::SC_NOT_FOUND); class_response_object::getInstance()->sendHeaders(); } 4. Solution To mitigate this issue please upgrade at least to version 5.0: https://www.kajona.de/en/Downloads/downloads.get_kajona.html Please note that a newer version might already be available. 5. Report Timeline 04/11/2016 Informed Vendor about Issue 04/13/2016 Vendor applies fix to github 05/25/2016 Vendor releases fixed version 09/15/2016 Disclosed to public Blog Reference: https://www.curesec.com/blog/article/blog/Kajona-47-XSS-amp-Directory-Traversal-163.html -- blog:https://www.curesec.com/blog tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Josef-Orlopp-StraAe 54 10365 Berlin, Germany |
体验盒子
