Stark CRM v1.0 Multiple Script Injection And Session Riding Vulnerabilities

Title: Stark CRM v1.0 Multiple Script Injection And Session Riding Vulnerabilities
Advisory ID: ZSL-2014-5169
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 20.02.2014
Summary
This is a light weight CRM which simplifies process of managing staff, client and projects.
Description
Multiple stored XSS and CSRF vulnerabilities exist when parsing user input to several POST parameters. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site and/or execute arbitrary HTML and script code in a user's browser session.
Vendor
IWCn Systems Inc. - http://www.iwcn.ws
Affected Version
1.0
Tested On
Nginx, PHP, MySQL
Vendor Status
[03.02.2014] Vulnerabilities discovered.
[07.02.2014] Vendor notified with sent details.
[07.02.2014] Vendor confirms issues, started developing patch.
[17.02.2014] Asked vendor for status update.
[19.02.2014] No response from the vendor.
[20.02.2014] Public security advisory released.
PoC
starkcrm_mv.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://www.exploit-db.com/exploits/31792/
[2] http://cxsecurity.com/issue/WLB-2014020174
[3] http://packetstormsecurity.com/files/125331
[4] http://www.securityfocus.com/bid/65710
[5] http://osvdb.org/show/osvdb/103588
[6] http://osvdb.org/show/osvdb/103589
[7] http://osvdb.org/show/osvdb/103590
[8] http://osvdb.org/show/osvdb/103591
[9] http://osvdb.org/show/osvdb/103592
[10] http://secunia.com/advisories/57048/
[11] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-10008
[12] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-10008
[13] http://xforce.iss.net/xforce/xfdb/91268
[14] http://xforce.iss.net/xforce/xfdb/91267
[15] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-10009
[16] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-10009
Changelog
[20.02.2014] - Initial release
[21.02.2014] - Added reference [3]
[22.02.2014] - Added reference [4], [5], [6], [7], [8] and [9]
[28.02.2014] - Added reference [10]
[26.01.2015] - Added reference [11], [12], [13], [14], [15] and [16]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk