Home / exploitsPDF  

PmOS - Pm Okuma Sistemi Cross Site Scripting

Posted on 10 April 2012

============================================================================
Vulnerable Software: PmOS - Pm Okuma Sistemi [plugin for Seditio CMS].
http://seditio-eklenti.com/datas/users/1-pmoku.rar (MD5 SUM: 88235c2b4b0613bff87545d2d887f042 *1-pmoku.rar)
http://seditio-eklenti.com/seditio-pm-okuma-eklentisi-d46.html
============================================================================
About Software:
PmOS - Pm Okuma Sistemi [plugin for Seditio CMS]
gives ability to administrators to read anothers PM's (Private messages)
============================================================================
Tested:
With: Seditio 165

*php.ini MAGIC_QUOTES_GPC OFF*
Safe mode off
/*
OS: Windows XP SP2 (32 bit)
Apache: 2.2.21.0
PHP Version: 5.2.17.17
mysql> select version()
-> ;
+-----------+
| version() |
+-----------+
| 5.5.21 |
+-----------+
*/
============================================================================
Vuln Desc:
Due Insufficent sanitization this plugin is prone Cross Site Scripting Vulnerability(Persistent Cross Site Scripting vuln)
============================================================================

No sanitization when fetching data from database.
And thanks to Seditio cms again! It stores private message body in database without any sanitization:

===========================================================================
mysql> select * from sed_pm G
*************************** 1. row ***************************
 pm_id: 6
 pm_state: 0
 pm_date: 1334009749
pm_fromuserid: 1
 pm_fromuser: admin
 pm_touserid: 1
 pm_title: <script>alert(1);</script>
 pm_text: <script>alert(2);</script>
1 row in set (0.00 sec)

mysql>
===========================================================================

Due trust to this issuse pmoku plugin is vulnerable to XSS.
 Vulnerable code section(From bottom: $pm_text = $row['pm_text']; will become unsanitized)
//plugins/pmoku/pmoku.admin.php
----------------------------------------Snip ------------------------------------
$sql = sed_sql_query("SELECT * FROM sed_pm ORDER by pm_date DESC LIMIT 0,50");

$plugin_body .= "<h4>".$L['editdeleteentries']." :</h4>";
$plugin_body .= "<table class="cells"><tr>";
$plugin_body .= "<td class="coltop">".$L['Delete']."</td>";
$plugin_body .= "<td class="coltop">Tarih</td>";
$plugin_body .= "<td class="coltop">Gцnderen</td>";
$plugin_body .= "<td class="coltop">Konu</td>";
$plugin_body .= "<td class="coltop">Mesaj</td>";
$plugin_body .= "<td class="coltop">Alan</td>";
$plugin_body .= "</tr>";

while ($row = sed_sql_fetcharray($sql))
 {
 $pm_id = $row['pm_id'];
 $pm_date = @date($cfg['dateformat'], $row['pm_date'] + $usr['timezone'] * 3600);
 $pm_fromuser = $row['pm_fromuser'];
 $pm_title = $row['pm_title'];
 $pm_text = $row['pm_text'];
 $pm_touserid = $row['pm_touserid'];
 $plugin_body .= "<form id="saveallowlist_".$allowlist_id."" action="admin.php?m=tools&p=adminallow&a=update&id=".$allowlist_id."" method="post">";
 $plugin_body .= "<tr><td style="text-align:center;">[<a href="admin.php?m=tools&p=pmoku&a=delete&id=".$pm_id."&".sed_xg()."">x</a>]</td>";

$plugin_body .= "<td>$pm_date</td>";
 $plugin_body .= "<td>$pm_fromuser</td>";
 $plugin_body .= "<td>$pm_title</td>";
 $plugin_body .= "<td>$pm_text</td>";
 $plugin_body .= "<td>$pm_touserid</td>";
 $plugin_body .= "<td><input type="submit" class="submit" value="".$L['Update']."" /></td></tr></form>";
 }
$plugin_body .= "</table>";
------------------------------EOF Snip ------------------------------------

Print screen:
http://s019.radikal.ru/i617/1204/b2/9c434fd50926.png

Special Thanks 2 MeTaiZm & 2 All AA Team.
+++++ Greetz to all ++++++
packetstormsecurity.*,securityfocus.com,cxsecurity.com,security.nnov.ru,securtiyvulns.com and to all others!

 

TOP

Malware :

Exploits :