Title:
======
EmbryoCore CMS v1.03 - Multiple Web Vulnerabilities


Date:
=====
2012-04-14


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=503


VL-ID:
=====
503


Introduction:
=============
EmbryoCore is a blog / content management system written using PHP5 s newest features. Highly 
customizable, XHTML:Strict compliant, with full integration of jQuery for dynamic ajax-powered content.

    Completely XHTML Strict compliant
    Pure CSS layouts
    Drag and drop interface for moving content around
    Static page and article entry for non-blog content
    Ajax comments system
    Ajax multi-page articles
    Ajax file manager with upload and auto-thumbnailing for images
    Ajax gallery system
    Post priviledges - every post can be configured to be seen by only guests, administrators, members etc
    Ratings and comments can be enabled or disabled on a per post basis
    Spam protection - configurable time-outs for disallowing posts within a certain time from visiting site and 
  from last post made etc, also online post checking with TypePad AntiSpam
    Advanced theme templating system means you can change the look of your site with a single click, and 
  building new themes is simplicity itself
    WYSIWYG editor for simple content entry
    Full categorization with sub-categories
    Cross blog communication with built in pingback
    Syndication with dynamic RSS creation for posts, comments etc
    Search engine friendly URL s
    Cache system reduces server load and speeds up page loads
    Automatic updating from the admin area
    Automatic installation of themes, plugins etc, no FTP access required

    Fully object orientated code
    Fully event driven
    Takes full advantage of PHP5 s new features
    Full integration with jQuery, including popular plugins like Shadowbox
    Uses PHP5 s inbuilt PDO (PHP Data Objects) class, and the powerful abstraction layer means building queries is a breeze
    Create as many sub-sites as you want from your admin area, all running off the same core code

(Copy of the Vendor Homepage: http://embryocore.sourceforge.net/ )


Abstract:
=========
The Vulnerability Laboratory Researcher Team discovered multiple Web Vulnerabilities in EmbryoCore v1.03.


Report-Timeline:
================
2012-04-14:  Public or Non-Public Disclosure


Status:
========
Published


Exploitation-Technique:
=======================
Remote


Severity:
=========
High


Details:
========
1.1
A remote SQL Injection vulnerability (POST) is detected in EmbryoCore v1.03 content management system.
The vulnerability allows an attacker (remote) or local low privileged user account to inject/execute own sql commands 
on the affected application dbms. Successful exploitation of the vulnerability results in dbms & application compromise.
The vulnerability is located on the username post method.

Vulnerable Module(s):
        [+] Add User or Register User Request (POST) [embryocore/index.php?event=admin:auser]


--- SQL Exception Logs ---
<div style=``display: none; opacity: 1;`` id=``kmessage`` class=``no-display``><img src=``
content/themes/admin/images/apply.png`` alt=``> <strong>EmbryoCore Fatal Database error:</strong> [42000]: 
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server 
version for the right syntax to use near ``=> ``></div>


Picture(s):
        ../1.png



1.2
A persistent input validation vulnerability is detected in the EmbryoCore v1.03 web application.
The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent).
Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent) 
context manipulation. Exploitation requires low user inter action because the admin needs to watch the user list.
The user includes his scriptcode as profile name and the code is getting executed on the administrator section 
persistent.


Vulnerable Module(s):
        [+] Profil & Username Input Field
          [-] Admin Control Panel - User Listing 


Picture(s):
        ../2.png
        ../3.png


Proof of Concept:
=================
The sql injection vulnerability can be exploited by remote attackers without inter action or local low 
privileged user accounts. For demonstration or reproduce ...


1.1
To inject the sql command implement your statement on the user input fields and send it with the request (POST Method).
The return will be the error or successful query of the application dbms.

POST:  /embryocore/index.php?ajax=admin:auser&mode=createNewUser HTTP/1.1
POC:   user_displayname=[SQL-INJECTION]&user_login=test2&user_email=m@dot.empire&user_password=123456&user_cpassword=hack4best


1.2
The persistent input validation vulnerability can be exploited by remote attackers without inter action 
or local low privileged 
user accounts. Successful exploitation requires low user inter action because the admin only have to review the user listing. 
For demonstration or reproduce ...

User Listing PoC:
<tr><td style="width: 1%; vertical-align: top;"><img src="http://www.gravatar.com/avatar.php?gravatar_id=
56f8d37b176ad6e9dc45e7923d1296ce&default=http%3A%2F%2Fxxx.com%2Fembryocore%2Flibs%2F
modules%2Ftemplate%2Fimages%2Fdefault_gravatar.png" alt="gravatar" style="width: 45px;">​​​​​</td><td style="
width: 15%; vertical-align: top;"><div class="list-title"><strong>-2</strong></div>"><iframe src="
http://www.vulnerability-lab.com" width"500"="" height="500"><br />91.37.89.26</td><td style='
width: 20%; vertical-align: top;'>Joined:<br />Monday 09th April 2012, 04:33am</td><td 
style='width: 20%; vertical-align: top;'>Last Visit:<br />-</td><td style='width: 20%; 
vertical-align: top;'>Last Post:<br />-</td><td style='width: 2%; vertical-align: top; 
text-align: right;'><img src='http://xxx.com/embryocore/content/themes/admin/images/comment.png' 
alt='comments' title='comments' /> 0</td></tr>
<tr>


Risk:
=====
1.1
The security risk of the sql injection vulnerability via post method is estimated as high(-).

1.2
The security risk of the persistent vulnerability is estimated as medium(+).


Credits:
========
Vulnerability Research Laboratory   -    Kevin J.  (Silent_0x)


Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability-
Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of 
other media, are reserved by Vulnerability-Lab or its suppliers.

                Copyright © 2012 Vulnerability-Lab




-- 
VULNERABILITY RESEARCH LABORATORY TEAM
Website: www.vulnerability-lab.com
Mail: research@vulnerability-lab.com