← Advisories

Microweber v1.0.3 Stored XSS And CSRF Add Admin Exploit

Medium
Advisory ID
ZSL-2015-5249
Release Date
04 August 2015
Vendor
Microweber Team - http://www.microweber.com
Affected Version
1.0.3
CVE
N/A
Tested On
Apache 2.4.10 (Win32), PHP 5.6.3, MySQL 5.6.21
Summary

Microweber is an open source drag and drop PHP/Laravel CMS licensed under Apache License, Version 2.0 which allows you to create your own website, blog or online shop.

Description

The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Stored cross-site scripting vulnerabilitity is also discovered. The issue is triggered when input passed via the POST parameter 'option_value' is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Proof of Concept
microweber_csrf.htmlTXT
Disclosure Timeline
12.07.2015Vulnerability discovered.
12.07.2015Initial contact with the vendor.
13.07.2015Vendor responds asking more details.
13.07.2015Sent details to the vendor.
13.07.2015Vendor replies with confirmation of the issue developing fixed version 1.0.4.
04.08.2015Vendor releases official new version (1.0.4).
04.08.2015Coordinated public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://github.com/microweber/microweber/blob/master/CHANGELOG.md
[2]https://microweber.com/list-of-contributors
[3]http://cxsecurity.com/issue/WLB-2015080028
[4]https://www.exploit-db.com/exploits/37734/
[5]https://packetstormsecurity.com/files/132969
[6]https://exchange.xforce.ibmcloud.com/vulnerabilities/105433
Changelog
04.08.2015Initial release
09.08.2015Added reference [4] and [5]
13.08.2015Added reference [6]