Microweber v1.0.3 Stored XSS And CSRF Add Admin Exploit
Title: Microweber v1.0.3 Stored XSS And CSRF Add Admin Exploit
Advisory ID: ZSL-2015-5249
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 04.08.2015
PHP 5.6.3
MySQL 5.6.21
[12.07.2015] Initial contact with the vendor.
[13.07.2015] Vendor responds asking more details.
[13.07.2015] Sent details to the vendor.
[13.07.2015] Vendor replies with confirmation of the issue developing fixed version 1.0.4.
[04.08.2015] Vendor releases official new version (1.0.4).
[04.08.2015] Coordinated public security advisory released.
[2] https://microweber.com/list-of-contributors
[3] http://cxsecurity.com/issue/WLB-2015080028
[4] https://www.exploit-db.com/exploits/37734/
[5] https://packetstormsecurity.com/files/132969
[6] https://exchange.xforce.ibmcloud.com/vulnerabilities/105433
[09.08.2015] - Added reference [4] and [5]
[13.08.2015] - Added reference [6]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2015-5249
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 04.08.2015
Summary
Microweber is an open source drag and drop PHP/Laravel CMS licensed under Apache License, Version 2.0 which allows you to create your own website, blog or online shop.Description
The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Stored cross-site scripting vulnerabilitity is also discovered. The issue is triggered when input passed via the POST parameter 'option_value' is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.Vendor
Microweber Team - http://www.microweber.comAffected Version
1.0.3Tested On
Apache 2.4.10 (Win32)PHP 5.6.3
MySQL 5.6.21
Vendor Status
[12.07.2015] Vulnerability discovered.[12.07.2015] Initial contact with the vendor.
[13.07.2015] Vendor responds asking more details.
[13.07.2015] Sent details to the vendor.
[13.07.2015] Vendor replies with confirmation of the issue developing fixed version 1.0.4.
[04.08.2015] Vendor releases official new version (1.0.4).
[04.08.2015] Coordinated public security advisory released.
PoC
microweber_csrf.htmlCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://github.com/microweber/microweber/blob/master/CHANGELOG.md[2] https://microweber.com/list-of-contributors
[3] http://cxsecurity.com/issue/WLB-2015080028
[4] https://www.exploit-db.com/exploits/37734/
[5] https://packetstormsecurity.com/files/132969
[6] https://exchange.xforce.ibmcloud.com/vulnerabilities/105433
Changelog
[04.08.2015] - Initial release[09.08.2015] - Added reference [4] and [5]
[13.08.2015] - Added reference [6]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk