{"id":9765,"date":"2017-10-09T14:19:07","date_gmt":"2017-10-09T22:19:07","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/10\/09\/news-3538\/"},"modified":"2017-10-09T14:19:07","modified_gmt":"2017-10-09T22:19:07","slug":"news-3538","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/10\/09\/news-3538\/","title":{"rendered":"SSD Advisory \u2013 PHP Melody Multiple Vulnerabilities"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Mon, 09 Oct 2017 13:03:25 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3464\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><\/p>\n<p><script>var obj = jQuery('#a-href-3464');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script>  \t\t<\/p>\n<div class=\"pf-content\">\n<p><strong>Vulnerabilities Summary<\/strong><br \/> The following advisory describes three (3) vulnerabilities found in PHP Melody version 2.7.3.<\/p>\n<p>PHP Melody is a &#8220;self-hosted Video CMS which evolved over the last 9 years. SEO optimization, unbeaten security and speed are advantages you no longer have to compromise on.<br \/> A truly great CMS should help you save time and make your life easier not complicate it. Nobody enjoys spending time and money on inferior solutions. If you value your time, don&#8217;t settle for anything but the best video CMS with a proven track record, constant support and updates.&#8221;<\/p>\n<p>The vulnerabilities found in PHP Melody are:<\/p>\n<ul>\n<li>Stored PreAuth XSS that leads to administrator account takeover<\/li>\n<li>SQL Injection (1)<\/li>\n<li>SQL Injection (2)<\/li>\n<\/ul>\n<p><strong>Credit<\/strong><br \/> An independent security researcher, Paulos Yibelo, has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program.<\/p>\n<p><strong>Vendor response<\/strong><br \/> PHP Melody has released patches to address this vulnerability.<\/p>\n<p>For more information: http:\/\/www.phpsugar.com\/blog\/2017\/10\/php-melody-v2-7-3-maintenance-release\/<\/p>\n<p><span id=\"more-3464\"><\/span><\/p>\n<p><u><strong>Vulnerabilities details<\/strong><\/u><\/p>\n<p><strong>Stored PreAuth XSS that leads to administrator account takeover<\/strong><br \/> User controlled input is not sufficiently sanitized, such that by sending a POST request to <em>page_manager.php<\/em> with the following parameters (vulnerable parameter &#8211; page_title)<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-59dbf5daede7d285035190\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> page_manager.php?do=new&amp;id=&amp;author=&amp;showinmenu=0&amp;meta_keywords=555-555-0199@example.com&amp;status=0&amp;submit=Publish&amp;page_name=Peter+Winter&amp;page_title=408b7&lt;script&gt;alert(1)&lt;%2fscript&gt;f2faf<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0009 seconds] -->  <\/p>\n<p>An attacker can trigger the vulnerability and when administrator\/moderator\/editor or anyone with privileges visits Admin access <em>\/admin\/pages.php?page=1<\/em> the payload is triggered and the alert is executed.<\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/10\/PHP-melody.jpg\" data-slb-active=\"1\" data-slb-asset=\"1950994386\" data-slb-internal=\"0\" data-slb-group=\"3464\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/10\/PHP-melody-300x76.jpg\" alt=\"\" width=\"300\" height=\"76\" class=\"alignnone size-medium wp-image-3465\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/10\/PHP-melody-300x76.jpg 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/10\/PHP-melody-768x193.jpg 768w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/10\/PHP-melody-1024x258.jpg 1024w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p><strong>SQL Injection (1)<\/strong><br \/> User controlled input is not sufficiently sanitized, by sending a POST request to <em>\/phpmelody\/admin\/edit_category.php<\/em> with the following parameters:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-59dbf5daede86128477365\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> category=3&amp;meta_keywords=555-555-0199@example.com&amp;tag=categoryone&amp;save=Save$name=Sample+Category+%231&amp;image=&#8217;&amp;meta_title=555-555-0199@example.com<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-59dbf5daede86128477365-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-59dbf5daede86128477365-1\"><span class=\"crayon-v\">category<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">3<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">meta_keywords<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">555<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">555<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">0199<\/span><span class=\"crayon-sy\">@<\/span><span class=\"crayon-v\">example<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">com<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">tag<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">categoryone<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">save<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">Save<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">name<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">Sample<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">Category<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">231<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">image<\/span><span class=\"crayon-o\">=<\/span>&#8216;<span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">meta_title<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">555<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">555<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">0199<\/span><span class=\"crayon-sy\">@<\/span><span class=\"crayon-v\">example<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">com<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0012 seconds] -->  <\/p>\n<p>The vulnerable parameter is the POST \u201cimage\u201d parameter. We can send a single quote (\u2018) to verify and the server will respond with an SQL error. We can inject SQL Queries here or extract data. <\/p>\n<p>This attack requires an admin\/modernator or editor to visit a malicious website that will submit the form with a malicious \u201cimage\u201d parameter as an Injection<\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/10\/PHP-melody-1.jpg\" data-slb-active=\"1\" data-slb-asset=\"646242419\" data-slb-internal=\"0\" data-slb-group=\"3464\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/10\/PHP-melody-1-300x88.jpg\" alt=\"\" width=\"300\" height=\"88\" class=\"alignnone size-medium wp-image-3466\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/10\/PHP-melody-1-300x88.jpg 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/10\/PHP-melody-1-768x226.jpg 768w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/10\/PHP-melody-1-1024x301.jpg 1024w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/10\/PHP-melody-1.jpg 1463w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p><strong>SQL Injection (2)<\/strong><br \/> SQL Injection is on a cookie-value and can be exploited without any user interaction.<\/p>\n<p>The cookie value \u201caa_pages_per_page\u201d is the vulnerable parameter and we can use time based SQL Injection techniques to verify,<\/p>\n<p>The payload we used \u2018 AND benchmark(20000000%2csha1(1))\u2014makes the server sleep for a long time (5-20 seconds).<\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/10\/PHP-melody-2.jpg\" data-slb-active=\"1\" data-slb-asset=\"1031385740\" data-slb-internal=\"0\" data-slb-group=\"3464\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/10\/PHP-melody-2-300x62.jpg\" alt=\"\" width=\"300\" height=\"62\" class=\"alignnone size-medium wp-image-3467\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/10\/PHP-melody-2-300x62.jpg 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/10\/PHP-melody-2-768x158.jpg 768w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/10\/PHP-melody-2-1024x211.jpg 1024w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/10\/PHP-melody-2.jpg 1501w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\" title=\"Printer Friendly, PDF &#038; Email\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\" alt=\"Print Friendly, PDF &#038; Email\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3464\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/10\/PHP-melody-300x76.jpg\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Mon, 09 Oct 2017 13:03:25 +0000<\/strong><\/p>\n<p>Vulnerabilities Summary The following advisory describes three (3) vulnerabilities found in PHP Melody version 2.7.3. PHP Melody is a &#8220;self-hosted Video CMS which evolved over the last 9 years. SEO optimization, unbeaten security and speed are advantages you no longer have to compromise on. A truly great CMS should help you save time and make &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3464\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 PHP Melody Multiple Vulnerabilities<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[11640,10757,12096,12136],"class_list":["post-9765","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-cross-site-scripting","tag-securiteam-secure-disclosure","tag-sql-injection","tag-unauthenticated-action"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/9765","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=9765"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/9765\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=9765"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=9765"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=9765"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}