SB2019020513 - Multiple vulnerabilities in PHPMyWind

Description

This security bulletin contains information about 5 secuirty vulnerabilities.

1) Cross-site scripting (CVE-ID: CVE-2019-7660)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data passed via the username parameter of the /install/index.php. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

2) Cross-site scripting (CVE-ID: CVE-2019-7661)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in data/api/oauth/connect.php. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

3) Cross-site scripting (CVE-ID: CVE-2019-8435)

The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data when processing an HTTP Host header in admin/default.php. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

4) Cross-site scripting (CVE-ID: CVE-2019-7402)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks via the cfg_qqcode parameter. This can be exploited via CSRF.

The vulnerability exists due to insufficient sanitization of user-supplied data passed via the "cfg_qqcode" parameter to include/func.class.php. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

5) Path traversal (CVE-ID: CVE-2019-7403)

The vulnerability allows a remote user to delete arbitrary files on the system.

The vulnerability exists due to input validation error when processing directory traversal sequences in "/admin/database_backup.php" script. A remote authenticated administrator can send a specially crafted HTTP request and delete arbitrary files on the system.

Example:

http://[host]/admin/database_backup.php?action=import&dopost=deldir&tbname=../../../../../../../bbb

Remediation

Install update from vendor's website.

References

• https://github.com/0xUhaw/CVE-Bins/tree/master/PHPMyWind/XSS-2
• https://github.com/0xUhaw/CVE-Bins/tree/master/PHPMyWind/XSS-1
• https://github.com/gaozhifeng/PHPMyWind/issues/3
• https://github.com/panghusec/exploit/issues/8
• https://github.com/panghusec/exploit/issues/9