elproLOG MONITOR Webaccess 2.1 – Multiple Vulnerabilities

• Exploit Database
• 11 阅读

• 作者： Vulnerability-Lab
  日期： 2013-10-04
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/28708/

• Title:
  ======
  elproLOG MONITOR WebAccess 2.1 - Multiple Vulnerabilities
  
  
  Date:
  =====
  2013-09-24
  
  
  References:
  ===========
  http://www.vulnerability-lab.com/get_content.php?id=1086
  
  
  VL-ID:
  =====
  1086
  
  
  Common Vulnerability Scoring System:
  ====================================
  6.7
  
  
  Introduction:
  =============
  Web-based access to your monitoring data. elproLOG MONITOR WebAccess enables you to reliably access your data from any computer
  anywhere in the world. Regular it will be used in combination with a surveillance cam and dvr system too.
  
  (Copy of the Vendor Homepage: http://www.elpro.com/en/products/software/product/elprolog-monitor-webaccess/pa/single/pc/product/ )
  
  
  Abstract:
  =========
  The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the elproLOG MONITOR WebAccess v2.1 web-application.
  
  
  Report-Timeline:
  ================
  2013-09-24:Public Disclosure (Vulnerability Laboratory)
  
  
  Status:
  ========
  Published
  
  
  Affected Products:
  ==================
  ELPRO-BUCHS AG
  Product: elproLOG MONITOR-WebAccess 2.1
  
  
  Exploitation-Technique:
  =======================
  Remote
  
  
  Severity:
  =========
  High
  
  
  Details:
  ========
  1.1
  A remote blind SQL Injection web vulnerability is detected in the ELPRO elproLOG MONITOR WebAccess v2.1 Web-Application.
  The SQL Injection vulnerability allows an attacker (remote) to execute/inject own SQL commands in the vulnerable
  web-application database management system. 
  
  The sql injection vulnerability is located in the strend.php file. Remote attackers can inject own sql commands by 
  attacking via http GET method request the affected id parameter of the vulnerable strend.php file.
  
  Exploitation of the sql injection vulnerabilities requires no or a low privileged application user account and no user interaction. 
  Successful exploitation of the vulnerability results in database management system & application compromise via remote sql injection.
  
  
  Vulnerable Module(s):
  					[+] Trends
  
  Vulnerable File(s):
  					[+] strend.php
  
  Vulnerable Parameter(s):
  					[+] id
  
  
  
  1.2
  A non persistent input validation vulnerability is detected in the elproLOG MONITOR WebAccess v2.1 Web-Application.
  The bug allows remote attackers to force client side browser requests with manipulated web application context or 
  cross site links.
  
  
  The first cross site scripting web vulnerability is located in the sensorview.php module when processing to load 
  a manipulated data parameter via GET. The attacker provokes the exception-handling to catch the invalid data error 
  with the injected script code (client-side).
  
  The secound cross site scripting web vulnerability is located in the strend.php module when processing to load 
  a manipulated name parameter via GET. The attacker provokes the exception-handling to catch the invalid trend id 
  error with the injected script code (client-side).
  
  The vulnerability can be exploited by remote attackers without required application user account but with low or 
  mediumrequired user interaction. Successful exploitation of the vulnerability results in client side session hijacking, 
  account take-over, client side phishing, client side external redirects and client side manipulation of module context.
  
  
  Vulnerable Module(s):
  				[+] sensorview
  				[+] trends
  
  Vulnerable File(s):
  				[+] sensorview.php
  				[+] strend.php
  
  Vulnerable Parameter(s):
  				[+] data
  				[+] name
  
  
  Proof of Concept:
  =================
  1.1 - SQL Injection
  The remote sql injection web vulnerability can be exploited by remote attackers without privileged application user account or 
  user interaction. For demonstration or reproduce ...
  
  PoC:
  http://elpro.localhost:8080/elpro/strend.php?data=8331&id=1+1%27'[SQL INJECTION VULNERABILITY]--&name=1
  
  
  
  1.2 - Client Side Cross Site Scripting
  The client side cross site scripting web vulnerability can be exploited by remote attackers without privileged application user account or 
  user interaction. For demonstration or reproduce ...
  
  
  PoC:
  http://elpro.localhost:8080/elpro-demo/sensorview.php?data=ECOLOG-NET%20Testing-1%27%3Ciframe%20src=http://vuln-lab.com%20onload=alert%28document.cookie%29%3C
  Exception: 	Group: ECOLOG-NET Testing->"<
  
  
  PoC:
  http://elpro.localhost:8080/elpro-demo/strend.php?data=8331&id=0&name=->"<%27%27%3Ciframe%20src=http://vuln-lab.com%20onload=alert%28document.cookie%29%3C
  Exception: 	Trend: Error ->"<
  
  
  Solution:
  =========
  1.1
  The sql injection web vulnerability can be patched by using a secure statement around the id parameter value implementation.
  Encode and parse the input or setup an own new exception-handling to prevent future executions of sql commands.
  
  
  1.2
  Parse and encode the vulnerable data and name parameters to fix the client-side cross site scripting web vulnerability.
  Ensure that the parameters are secure encoded in all different section of the application modules.
  
  
  Risk:
  =====
  1.1
  The security risk of the remote sql injection web vulnerability is estimated as high(+).
  
  1.2
  The security risk of the client-side cross site scripting web vulnerabilities are estimated as low(+)|(-)medium.
  
  
  Credits:
  ========
  Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
  
  
  Disclaimer:
  ===========
  The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, 
  either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
  Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
  profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
  states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
  may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
  or trade with fraud/stolen material.
  
  Domains:www.vulnerability-lab.com 	- www.vuln-lab.com			 - www.evolution-sec.com
  Contact:admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	 - admin@evolution-sec.com
  Section:www.vulnerability-lab.com/dev 	- forum.vulnerability-db.com 		 - magazine.vulnerability-db.com
  Social:	twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	 - youtube.com/user/vulnerability0lab
  Feeds:	vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
  
  Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
  Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
  media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and 
  other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
  modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
  
  				Copyright � 2013 | Vulnerability Laboratory [Evolution Security]
  
  
  
  -- 
  VULNERABILITY LABORATORY RESEARCH TEAM
  DOMAIN: www.vulnerability-lab.com
  CONTACT: research@vulnerability-lab.com