what you don't know can hurt you

Humhub 0.10.0-rc.1 Cross Site Scripting / SQL Injection

Humhub 0.10.0-rc.1 Cross Site Scripting / SQL Injection
Posted Dec 9, 2014
Authored by Jos Wetzels, Emiel Florijn

Humhub versions 0.10.0-rc.1 and below suffer from cross site scripting and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, xss, sql injection
MD5 | 8587b69312d19a01ba03393eb0b3dd7e

Humhub 0.10.0-rc.1 Cross Site Scripting / SQL Injection

Change Mirror Download
[+] Humhub [1] SQL injection vulnerability
[+] Discovered by: Jos Wetzels, Emiel Florijn
[+] Affects: Humhub <= 0.10.0-rc.1

The Humhub social networking kit versions 0.10.0-rc.1 and prior suffer
from an SQL injection vulnerability, which has now been resolved in
cooperation with the vendor [2], in its notification listing
functionality allowing an attacker to obtain backend database access.
In the actionIndex() function located in
"/protected/modules_core/notification/controllers/ListController.php"
[3] a check is performed on the unsanitized $lastEntryId variable
(which is fetched from the 'from' GET parameter) to see if it is
greater than 0. However, since PHP uses type-unstrict comparisons and
$lastEntryId isn't guaranteed to be an integer, this allows an
attacker to prefix their string of choice with any number of integers
(so that $lastEntryId gets treated as an integer during the
comparison) such that the comparison evaluates to true and
$criteria->condition is injected with the otherwise unsanitized
$lastEntryId, which can be any SQL injection.

Proof of Concept: Performing the following request

index.php?r=notification/list/index&from=999) AND (CASE WHEN
0x30<(SELECT substring(password,1,1) FROM user_password WHERE id = 1)
THEN 1 ELSE 0 END) AND (1=1

Allows an attacker to perform a binary search SQL injection. In
addition, the SQL error handling of the function in question allows
the attacker to perform a reflected Cross-Site Scripting attack.

Proof of Concept: Directing any user to the following link

index.php/?r=notification/list/index&from=999) AND ("<iframe src =
'index.php/?r=user/auth/logout'>"=""

Will perform a CSRF attack against the target user.

It should be noted that the attack requires regular user-level
authentication to the humhub system.

[*] References:
1. http://humhub.org
2. https://github.com/humhub/humhub/commit/febb89ab823d0bd6246c6cf460addabb6d7a01d4
3.https://github.com/humhub/humhub/blob/e406538ac44f992774e1abd3748ee0a65469829d/protected/modules_core/notification/controllers/ListController.php#L46
------------------------------------------------------------------------------------------------------------------------
[+] Humhub [1] multiple persistent XSS vulnerabilities
[+] Discovered by: Jos Wetzels, Emiel Florijn
[+] Affects: Humhub <= 0.10.0-rc.1

The Humhub social networking kit versions 0.10.0-rc.1 and prior suffer
from multiple persistent Cross-Site Scripting vulnerabilities, which
have now been resolved in cooperation with the vendor [2], in various
parts of the codebase.

1. Post/comment persistent XSS vulnerability

In the function actionPost() in
"/protected/modules_core/post/controllers/PostController.php" [3], the
$_POST variable is cleaned using a now-outdated version of the Yii
framework's CmsInput extension stripClean() function [4], which
improperly sanitizes user-input for XSS [5]. This situation also
applies to actionPost() in
"/protected/modules_core/comment/controllers/CommentController.php"
[6]

Proof of Concept: making a post or comment with the URL-encoded form of either:

<a href = "data:text/html,test">test</a>
<img src = "index.php?r=user/auth/logout">

Will insert the corresponding HTML elements into the post/comment body.

2. Humhub-modules-mail [7] persistent XSS vulnerability

Humhub-modules-mail versions 0.5.9 and prior (when used in conjunction
with Humhub 0.10.0-rc.1 or prior) is affected by the same
vulnerability as described above. The vulnerable code is located in
the function actionCreate() in "/controllers/MailController.php" [8].
Since every private message sent to a humhub user is also sent to the
user's e-mail in the form of a HTML-enabled notification e-mail, an
attacker can insert custom HTML elements in the body of the e-mail
with grave consequences. It should be noted that the displayed
in-system private messages are not susceptible to this attack vector.

3. Admin error logging persistent XSS vulnerability

In addition to the above, the admin error logging codebase is
vulnerable to a persistent XSS vulnerability (with an even less
restrictive set of injectable elements) as well. In most modules'
error logging functionality, there is no XSS sanitation on the error
message before passing it to the database and since there is no XSS
sanitation before displaying error messages in the admin error logging
interface, causing an error with a URL-encoded XSS string (different
modules' error logging allow for different XSS vectors) in the
parameter will cause the XSS to be persistently logged in the admin
error logging interface, potentially allowing an attacker, among other
attack vectors, to hijack the admin's session.

Proof of Concept: performing either of the following requests:

index.php?r=post/post/post%3Csvg%20onload%3Dalert(1)%3E
index.php?r=mail/mail/indexdf%3Cimg%20src=%22x%22%20onerror=%22alert(1)%22%3E
index.php?r=notification/list/index&from=999)%3Cscript%3Ealert(1)%3C/script%3E

Wil insert the corresponding script elements into the admin error
logging interface.

It should be noted that all XSS attack vectors require at least
regular user-level access to the humhub system.

[*] References:
1. http://humhub.org
2. https://github.com/humhub/humhub/commit/febb89ab823d0bd6246c6cf460addabb6d7a01d4
3.https://github.com/humhub/humhub/blob/22d4cc040b56ed72c7bdc17a14af087b06a2cf18/protected/modules_core/post/controllers/PostController.php#L41
4.https://github.com/humhub/humhub/blob/9274a701b316cf8da0d05862066a90a3585fff01/protected/extensions/CmsInput.php#L165
5. http://packetstormsecurity.com/files/129373/yiicmsinput-xss.txt
6.https://github.com/humhub/humhub/blob/22d4cc040b56ed72c7bdc17a14af087b06a2cf18/protected/modules_core/comment/controllers/CommentController.php#L139
7. https://github.com/humhub/humhub-modules-mail
8. https://github.com/humhub/humhub-modules-mail/blob/04e4f2dad17ed0e4aec0d5a61a5ef979f416e98b/controllers/MailController.php#L300


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

February 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    1 Files
  • 2
    Feb 2nd
    2 Files
  • 3
    Feb 3rd
    17 Files
  • 4
    Feb 4th
    15 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    16 Files
  • 7
    Feb 7th
    19 Files
  • 8
    Feb 8th
    2 Files
  • 9
    Feb 9th
    2 Files
  • 10
    Feb 10th
    15 Files
  • 11
    Feb 11th
    20 Files
  • 12
    Feb 12th
    16 Files
  • 13
    Feb 13th
    19 Files
  • 14
    Feb 14th
    17 Files
  • 15
    Feb 15th
    4 Files
  • 16
    Feb 16th
    4 Files
  • 17
    Feb 17th
    34 Files
  • 18
    Feb 18th
    15 Files
  • 19
    Feb 19th
    20 Files
  • 20
    Feb 20th
    33 Files
  • 21
    Feb 21st
    11 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close