AOH :: HP Unsorted T :: BU-1686.HTM

Tinypug Multiple Vulnerabilities



Tinypug Multiple Vulnerabilities
Tinypug Multiple Vulnerabilities



##########################www.BugReport.ir######################################## 
#
#        AmnPardaz Security Research Team
#
# Title:=09=09Tinypug Multiple Vulnerabilities
# Vendor:=09=09http://platformassociates.com/ 
# (project hosted at http://code.google.com/p/tinypug/) 
# Vulnerable Version:=090.9.5 (and prior versions)
# Exploitation:=09=09Remote with browser
# Fix:=09=09=09N/A
###################################################################################

####################
- Description:
####################

Tinypug is a system for building portals that enable innovation  
communities and customer inquiry.
The idea is to go beyond one-off statistical surveys (which tend to  
only verify an existing paradigm)
to foster real collaboration, scalable two-way communication, and  
anecdotal feedback from users/customers.


####################
- Vulnerability:
####################

+--> CSRF (Cross-Site Request Forgery)
=09The password changing page is vulnerable to CSRF attack. This vulnerability
=09can be used to change the password of the victim. For details of this
=09process see "Exploits/PoCs" section.

+--> Stored XSS Vulnerability
=09The comment page is vulnerable to Stored XSS attack. But comments  
will be published
=09only after administrator confirmation. However this XSS vulnerablity can be
=09used in conjunction with the more serious security whole (CSRF) in  
order to change
=09administrator's password.

####################
- Exploits/PoCs:
####################

+--> Exploiting The CSRF Vulnerability:
=09As any CSRF attack, you need victim to be logged in at target site,  
namely "victim.com",
=09and visits the attacker's site, namely "attacker.com".
=09Then attacker can change password of the victim (for example to  
"the-new-password")
=09by presenting following code at attacker.com site:
=09
=09=09 =09=09
action="http://victim.com/tinypug-0.9.5/profiles/change_password" =09=09=09=09method="post" id="the_form" style="display:none" target="if1"> =09=09=09 =09=09=09 =09=09=09 =09=09
=09=09 =09
+--> Exploiting The Stored XSS Vulnerability: =09Simply go to the comment page of a post =09(for example at "http://victim.com/tinypug-0.9.5/stories/view/welcome#comments") =09and embed any desired XSS vector like =09But be aware that comments will be reviewed by administrators before publishing. +--> Changing Administrator Password by combining above Vulnerabilities: =09Using the Stored XSS attack, make administrator to see following code: =09My comment !!!