[+] Credits: John Page ( hyp3rlinx )
[+] Domains: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/AS-VFRONT0602.txt
Vendor:
==============
www.vfront.org
Product:
===================================================================================
vfront-0.99.2 is a PHP web based MySQL & PostgreSQL database management application.
Advisory Information:
====================================
CSRF, Persistent XSS & reflected XSS
Vulnerability Detail(s):
=======================
CSRF:
=========
No CSRF token in place, therefore we can add arbitrary users to the system.
Persistent XSS:
================
variabili.php has multiple XSS vectors using POST method, one input field 'altezza_iframe_tabella_gid' will store XSS payload
into the MySQL database which will be run each time variabili.php is accessed from victims browser.
Persisted XSS stored in MySQL DB:
=================================
DB-----> vfront_vfront
TABLE-----> variabili
COLUMN------> valore (will contain our XSS)
Exploit code(s):
===============
CSRF code add arbitrary users to system:
=======================================
http://localhost/vfront-0.99.2/vfront-0.99.2/admin/log.php?op="/>&tabella=&uid=&data_dal=All&data_al=All
Persistent XSS:
================
http://localhost/vfront-0.99.2/vfront-0.99.2/admin/variabili.php?feed=0&gidfocus=0
Inject XSS into 'the altezza_iframe_tabella_gid' input field to store in database.
"/>
Reflected XSS(s):
=================
http://localhost/vfront-0.99.2/vfront-0.99.2/admin/query_editor.php?id=&id_table=&id_campo="/>
XSS vulnerable input fields:
============================
http://localhost/vfront-0.99.2/vfront-0.99.2/admin/variabili.php
altezza_iframe_tabella_gid <------------- ( Persistent XSS )
passo_avanzamento_veloce_gid
n_record_tabella_gid
search_limit_results_gid
max_tempo_edit_gid
home_redirect_gid
formati_attach_gid
default_group_ext_gid
cron_days_min_gid
Disclosure Timeline:
===================================
Vendor Notification: May 31, 2015
June 2, 2015 : Public Disclosure
Severity Level:
===================================
High
Description:
==========================================================
Request Method(s):
[+] GET & POST
Vulnerable Product:
[+] vfront-0.99.2
Vulnerable Parameter(s):
[+] altezza_iframe_tabella_gid
passo_avanzamento_veloce_gid
n_record_tabella_gid
search_limit_results_gid
max_tempo_edit_gid
home_redirect_gid
formati_attach_gid
default_group_ext_gid
cron_days_min_gid
id_campo
op
Affected Area(s): [+] Admin & MySQL DB
===============================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere.
(hyp3rlinx)