← Advisories

Oxwall 1.7.0 Multiple CSRF And HTML Injection Vulnerabilities

Medium
Advisory ID
ZSL-2014-5195
Release Date
28 July 2014
Vendor
Oxwall Software Foundation - http://www.oxwall.org
Affected Version
1.7.0 (build 7907 and 7906)
CVE
CVE-2014-9101
Tested On
Kali Linux 3.7-trunk-686-pae, Apache/2.2.22 (Debian), PHP 5.4.4-13(apache2handler), MySQL 5.5.28
Summary

Oxwall is unbelievably flexible and easy to use PHP/MySQL social networking software platform.

Description

Oxwall version 1.7.0 suffers from multiple cross-site request forgery and stored xss vulnerabilities. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Input passed to several POST parameters is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Proof of Concept
oxwall_csrfxss.htmlTXT
Disclosure Timeline
18.07.2014Vulnerabilities discovered.
18.07.2014Vendor contacted.
20.07.2014No reply from the vendor.
21.07.2014Vendor contacted again.
23.07.2014Reminded vendor on twitter to check their e-mails.
23.07.2014No reply from the vendor whatsoever.
23.07.2014Created a forum account and contacted the vendor there.
24.07.2014Vendor responds on the forum post asking more details.
24.07.2014Informed the vendor to conference via e-mail.
25.07.2014Vendor responds on the e-mails sent previously, asking more details.
25.07.2014Sent detailed information to the vendor.
27.07.2014Asked vendor for status update.
27.07.2014No reply from the vendor.
28.07.2014Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]http://packetstormsecurity.com/files/127652
[2]http://www.exploit-db.com/exploits/34190/
[3]http://cxsecurity.com/issue/WLB-2014070155
[4]http://osvdb.org/show/osvdb/109622
[5]http://osvdb.org/show/osvdb/109623
[6]http://osvdb.org/show/osvdb/109624
[7]http://osvdb.org/show/osvdb/109625
[8]http://sebug.net/vuldb/ssvid-87164
[9]http://www.securityfocus.com/bid/68938
[10]http://secunia.com/advisories/59720/
[11]http://xforce.iss.net/xforce/xfdb/94907
[12]http://xforce.iss.net/xforce/xfdb/94908
[13]http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-9101
[14]http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9101
Changelog
28.07.2014Initial release
29.07.2014Added reference [1], [2], [3], [4], [5], [6] and [7]
30.07.2014Added reference [8] and [9]
05.10.2014Added reference [10] and [11]
20.10.2014Added reference [12]
02.12.2014Added reference [13] and [14]