Author: Edric

[CVE-2017-17889] Kliqqi CMS – XSS Vulnerability in Version 3.5.2

[CVE-2017-17889] Kliqqi CMS – XSS Vulnerability in Version 3.5.2

Product Information:

Software: Kliqqi CMS

Tested Version: 3.5.2, released 11.01.2017

Vulnerability Type: Cross-Site Scripting (CWE-79)

Description: Kliqqi is a fork of Pligg CMS

Vulnerability description:

There are two Stored XSS and two DOM-based XSS.

To replicate Stored XSS(1):

  1. Create a user with normal or moderator rights
  2. Log into the user
  3. Navigate to /pligg/groups.php and create a new group with group name “ onmouseover=confirm(0) “
  4. Navigate back to /pligg/groups.php and hover cursor over the group’s avatar, the payload should trigger

To Replicate Stored XSS(2):

  1. Log in to the user
  2. Navigate to the user’s profile setting page (Top right drop down -> Profile -> Settings)
  3. Update the Homepage to javascript:alert(0) and save
  4. Upon saving, the updated value should show below the username
  5. Clicking on the URL triggers the payload

To replicate DOM-based XSS:

  1. Log in as normal user
  2. Navigate to /pligg/submit.php
  3. Enter "><svg/onload=alert()> in Tags and the payload should trigger.
  4. Remove the payload from Tags and add it in Description, the payload should trigger again.

Impact:

An attacker is able to inject malicious scripts into otherwise benign and trusted web sites. The malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can also rewrite the contents of a HTML page. The exploitation process is also made easy with BeEF (The Browser Exploitation Framework).

Solution:

The developer of Kliqqi CMS has moved on to a new project – Plikli CMS.

Plikli CMS v4.0 includes fix for the mentioned vulnerability in this advisory.

Timeline:

Vulnerability found: 24.12.2017

Vendor informed: 24.12.2017

Response by vendor: 24.12.2017

Fix by vendor: 03.01.2018

Patched version released: 22.04.2018

Public Advisory: 22.04.2018

References:

https://www.plikli.com/download-plikli/

[CVE-2017-17902] Kliqqi CMS – SQL Injection Vulnerability in Version 3.5.2

[CVE-2017-17902] Kliqqi CMS – SQL Injection Vulnerability in Version 3.5.2

Product Information:

Software: Kliqqi CMS

Tested Version: 3.5.2, released 11.01.2017

Vulnerability Type: Blind SQL Injection

Description: Kliqqi is a fork of Pligg CMS

Vulnerability description:

There is a Blind SQL Injection in Kliqqi CMS.

Steps to replicate:

  1. Create a new story
  2. Navigate to the new story (e.g. /pligg/story.php?title=sqli-poc2-story)
  3. Toggle the burp suite to intercept, and return to the browser to submit a new comment.
  4. Return back to burpsuite and append AND (SELECT * FROM (SELECT(SLEEP(5)))MBMY) to the randkey parameter
  5. Forward the request and take note of the loading icon. The application should sleep for 5 seconds before the loading icon disappears and loads the Kliqqi logo.

Impact:

SQL injection attacks will habitually allow the intruder to view data contained in the database and modify its content. However, data confidentiality and integrity is not the only concern when considering this security issue. In fact, the hacker could gain much more privileges over the database. In some cases, he could even end up acting as a system administrator of the database server.

Source: http://www.sqlinjection.net/risks/

Solution:

The developer of Kliqqi CMS has moved on to a new project – Plikli CMS.

Plikli CMS v4.0 includes a fix for the mentioned vulnerability in this advisory.

Timeline:

Vulnerability found: 24.12.2017

The vendor informed: 24.12.2017

Response by vendor: 24.12.2017

Fix by vendor: 03.01.2018

The patched version released: 22.04.2018

Public Advisory: 22.04.2018

References:

https://www.plikli.com/download-plikli/

Domain Privacy: Exposing Personal Information Unknowingly

If you were directed to this post by me, chances are your private information such as a home address, telephone, and mobile phone is publicly available online.

Over the years, I’ve been contacting bloggers privately via email to warn them about this issue. Some heed the advice while others ignored it.

I am in no way an expert in the field of privacy but I personally feel uncomfortable knowing that someone else could easily know where I live.

What is a domain name?

A domain name is usually mapped to a web server’s IP address so that we don’t have to remember the exact IP address.

That’s it. That’s the sole purpose of a domain name.

What is the problem?

While registering a domain, we usually need to fill in 4 parts:

  1. Registrant Contact Information
  2. Administrative Contact Information
  3. Technical Contact Information
  4. Billing Address

Each of these sections serves a different role in a corporate environment however, individuals usually have the same information for all 4 parts.

This information is publicly available and anyone can do a WHOIS lookup using online free services.

Now what?

Hide your personal information

Privacy protection usually comes as an add-on that cost a couple of bucks.

It is also important to note that some top-level-domain (TLDs) does not allow domain privacy while some TLDs such as .sg have domain privacy by default.

I have gathered the most commonly used registrar and have provided links to their respective article/information page on hiding your personal information:

If your registrar is not listed here, you can shoot me an email and I will provide assistance over email.