Practico 13.9 Multiple Vulnerabilities
Title: Practico 13.9 Multiple Vulnerabilities
Advisory ID: ZSL-2013-5160
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data, Cross-Site Scripting, Spoofing
Risk: (3/5)
Release Date: 03.11.2013
Apache 2.4.2 (Win32)
PHP 5.4.7
MySQL 5.5.25a
[11.10.2013] Contact with the vendor.
[16.10.2013] Vendor replies asking more details.
[17.10.2013] Sent detailed info to the vendor.
[17.10.2013] Vendor promises patch development.
[01.11.2013] Vendor releases version 13.911 to address these issues.
[03.11.2013] Coordinated public security advisory released.
[2] http://sourceforge.net/projects/practico/files/Parches_de_Actualizacion/
[3] http://sourceforge.net/projects/practico/files/Paquetes_de_Instalacion/Practico-13.911.zip/download
[4] http://www.exploit-db.com/exploits/29389/
[5] http://cxsecurity.com/issue/WLB-2013110017
[6] http://packetstormsecurity.com/files/123902
[7] http://www.osvdb.org/show/osvdb/99330
[8] http://www.osvdb.org/show/osvdb/99331
[9] http://www.osvdb.org/show/osvdb/99332
[10] http://www.securityfocus.com/bid/63527
[11] http://xforce.iss.net/xforce/xfdb/88519
[12] http://secunia.com/advisories/55560/
[13] http://secunia.com/advisories/55596/
[04.11.2013] - Added reference [4] and [5]
[05.11.2013] - Added reference [6], [7], [8], [9] and [10]
[15.11.2013] - Added reference [11], [12] and [13]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2013-5160
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data, Cross-Site Scripting, Spoofing
Risk: (3/5)
Release Date: 03.11.2013
Summary
Practico is a free CMS software project released under license GNU GPL v2.0 for creating web applications in a completely visual and fast fashion. Without programming knowledge.Description
Practico suffers from multiple vulnerabilities including Cross-Site Scripting (XSS), SQL Injection (SQLi) and Cross-Site Request Forgery (CSRF/XSRF). The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Input passed via several parameters is not properly sanitized before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and HTML/script code in a user's browser session in context of an affected site.Vendor
Practico - http://www.codigoabierto.orgAffected Version
13.9Tested On
Microsoft Windows 7 Ultimate SP1 (EN)Apache 2.4.2 (Win32)
PHP 5.4.7
MySQL 5.5.25a
Vendor Status
[10.10.2013] Vulnerabilities discovered.[11.10.2013] Contact with the vendor.
[16.10.2013] Vendor replies asking more details.
[17.10.2013] Sent detailed info to the vendor.
[17.10.2013] Vendor promises patch development.
[01.11.2013] Vendor releases version 13.911 to address these issues.
[03.11.2013] Coordinated public security advisory released.
PoC
practico_multiple.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] http://www.codigoabierto.org/anuncios/nuevaversion13911[2] http://sourceforge.net/projects/practico/files/Parches_de_Actualizacion/
[3] http://sourceforge.net/projects/practico/files/Paquetes_de_Instalacion/Practico-13.911.zip/download
[4] http://www.exploit-db.com/exploits/29389/
[5] http://cxsecurity.com/issue/WLB-2013110017
[6] http://packetstormsecurity.com/files/123902
[7] http://www.osvdb.org/show/osvdb/99330
[8] http://www.osvdb.org/show/osvdb/99331
[9] http://www.osvdb.org/show/osvdb/99332
[10] http://www.securityfocus.com/bid/63527
[11] http://xforce.iss.net/xforce/xfdb/88519
[12] http://secunia.com/advisories/55560/
[13] http://secunia.com/advisories/55596/
Changelog
[03.11.2013] - Initial release[04.11.2013] - Added reference [4] and [5]
[05.11.2013] - Added reference [6], [7], [8], [9] and [10]
[15.11.2013] - Added reference [11], [12] and [13]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk