Monday, 15 April 2013

[EN] Kohana Framework 2.3.4 0day

Durning one of my pentests I found that my client used Kohana Framework to build his website.

That's nice because I though it was very 'secured' framework. My opinion changed when I realised that
in Input.php file we have a few described 'filters' against few attacks. For example few blacklisted tags to
not add a XSS-code (you should read this file from Kohana, very interesting :)).

Anyway, as 'script' and 'img src' and 'embed' and other, other tags are denied, maybe we can use some trick from Michal Zalewski book - Tangled Web.

So called 'broken tags' can be used here to smuggle our XSS code.

Instead of 'simple' (and filtered here) 'img src' tag, let's 'delete' all 'white spaces'.
Now our payload-string should looks like this (one in latest post about SMF 2.0.4 vulnerabilities):
<img/src="x"/onerror="alert(1)">

Now it is possible to send HTML/JS-code to Kohana-based site and exploit it.

Try this at home because you will see that there are few other tags that could be smuggled;)
HTML injection is also possible.

Enjoy o/


No comments:

Post a Comment

What do You think...?