exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Opendocman 1.3.4 HTML Injection

Opendocman 1.3.4 HTML Injection
Posted Feb 3, 2016
Authored by Tim Coen | Site curesec.com

Opendocman version 1.3.4 suffers from an html injection vulnerability.

tags | exploit
SHA-256 | a53ed3455296d279fd0fe580f3f96ff9ee939163d5459f414db8d322bf6af452

Opendocman 1.3.4 HTML Injection

Change Mirror Download
Security Advisory - Curesec Research Team

1. Introduction

Affected Product: Opendocman 1.3.4
Fixed in: 1.3.5
Fixed Version Link: http://www.opendocman.com/free-download/
Vendor Website: http://www.opendocman.com/
Vulnerability Type: HTML Injection
Remote Exploitable: Yes
Reported to vendor: 11/21/2015
Disclosed to public: 02/01/2016
Release mode: Coordinated Release
CVE: n/a
Credits Tim Coen of Curesec GmbH

2. Overview

CVSS

Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N

Description

To defend against XSS and similar attacks, opendocman depends on a function
that filters all input to remove dangerous tags and attributes.

The filter does filter out all simple approaches to XSS, but it still leaves an
attacker with large control over the look and functionality of the website.
This can lead to phishing attacks, privilege escalation, defacement, and may
lead to XSS with older browsers.

There are likely other possibilities for attackers. It is recommended to
HTML-encode user input before echoing it to mitigate these issues, instead of
relying on input filtering.

These issues are present across the application and are reflected as well as
persistent, for example via the profile or comments.

3. Proof of Concept

Privilege Escalation

A registered user can exploit this issue in combination with social engineering
to gain admin rights:

- Change any profile field, such as last name, to:
Smith"><input type="hidden" name="admin" value="1" /><input type="hidden
- Contact admin, saying that one is having problems updating profile informations.
Ask admin to update any field, such as the email of the user;
the form will look normal to the admin, but will contain a hidden field to update the user to admin.
Alternatively, ClickJacking may be used to get an admin to update the profile.
- If the admin does change any field, the user will automatically gain admin rights as well.

XSS

Some payloads which may lead to XSS in older browser can bypass the filter, for
example:

http://localhost/opendocman-1.3.4/search.php/"><x%20style=x:expr/**/ession(open(alert(1)))>

Phishing & Defacement

Attacker-controlled elements can be shown in places where a user would only
expect application-controlled data, not user data, which can be used in
phishing attacks or to deface the website.

A simple example would be:

http://localhost/opendocman-1.3.4/search.php/"><a href="http://evil.com" style= "background: red; color: white">Security Alert: Please upgrade to the latest version here!</a><input type=hidden

As mentioned, these issues are not only reflected, but also persistent. For
example when uploading a file, HTML code may be injected via the description or
comment parameters here:
http://localhost/opendocman-1.3.4/add.php
The same is possible when updating a user profile here:
http://localhost/opendocman-1.3.4//profile.php
It should be noted that by default, the registration is not open, but there is
an option to open registration for anyone.

4. Code

The problem exists across the application. A quick search reveals at least
these code snippets which are likely open to reflected attacks. Further
parameters are likely vulnerable as well. Additionally, all user input that is
persisted seems to be affected as well.

check-out.php: <input type="hidden" name="id" value="<?php echo $_GET['id'];
check-out.php: <input type="hidden" name="access_right" value="<?php echo $_GET['access_right'];
check-in.php: <input type="hidden" name="id" value="<?php echo $_GET['id'];
signup.php: echo msg ('message_account_created') . ' ' . $_POST['username'].'<br />';
check-out.php:<form action="<?php echo $_SERVER['PHP_SELF'];
check-in.php: <form action="<?php echo $_SERVER['PHP_SELF'];
file_ops.php: echo PHP_EOL . '<form name="table" action="' . $_SERVER['PHP_SELF'] . '" method="POST">';
category.php: <form action="<?php echo $_SERVER['PHP_SELF'];
category.php: <form action="<?php echo $_SERVER['PHP_SELF'];
category.php: <form action="<?php echo $_SERVER['PHP_SELF'];
profile.php: <INPUT type="hidden" name="callee" value="<?php echo $_SERVER['PHP_SELF']; ?>">
rejects.php: echo '<form name="author_note_form" action="' . $_SERVER['PHP_SELF'] . '?mode=root"' . ' method="post">';
rejects.php: echo '<form name="author_note_form" action="' . $_SERVER['PHP_SELF'] . '" method="post">';
search.php: <form action=<?php echo $_SERVER['PHP_SELF'];
department.php: <form action="<?php echo $_SERVER['PHP_SELF'];
department.php: <form action="<?php echo $_SERVER['PHP_SELF'];
department.php: <form action="<?php echo $_SERVER['PHP_SELF'];

5. Solution

To mitigate this issue please upgrade at least to version 1.3.5:

http://www.opendocman.com/free-download/

Please note that a newer version might already be available.

6. Report Timeline

11/21/2015 Informed Vendor about Issue (no reply)
12/10/2015 Reminded Vendor of disclosure date
12/19/2015 Vendor sends fix for different issue for verification
01/13/2016 Confirmed fix
01/20/2016 Vendor requests more time to fix XSS issues
01/31/2016 Vendor releases fix
02/01/2015 Disclosed to public


Blog Reference:
https://blog.curesec.com/article/blog/Opendocman-134-HTML-Injection-151.html

--
blog: https://blog.curesec.com
tweet: https://twitter.com/curesec

Curesec GmbH
Curesec Research Team
Romain-Rolland-Str 14-24
13089 Berlin, Germany


Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    13 Files
  • 9
    Aug 9th
    13 Files
  • 10
    Aug 10th
    34 Files
  • 11
    Aug 11th
    0 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close