Information Disclosure - Internal Path Disclosure (PHPWCMS) - CVE-2018-12990
Hello All,
INTRODUCTION
The purpose of this post is to let you know how I managed to get one more CVE. Throughout this post, I will give you relevant examples/screenshots that demonstrates how I ended up finding the vulnerability.
Alright, lets plunge into the Proof-Of-Concept !
PATH OF EXPLORATION
After submitting the first vulnerability (Stored Cross Site Scripting) to the developer for phpwcms application I continued to test further for finding more vulnerability. While testing I saw that CSRF Token was submitted in all the request. I tried to tamper with the parameter which contained the CSRF Token and found that the application throws an error which discloses the Internal Path of the application where it has been hosted.
THE MOST AWAITED DEEP DIVE POC
1) While submitting the profile page request I saw that the application passes one parameter (csrf_token_value) which as per the name suggest contains the csrf token as you can refer the below screenshot.
The CSRF Token was passed on mostly all pages in the application.
2) I modified the last 2 numbers of csrf_token_value parameter and submitted the request to check if it validates the token.
3) After submitting the request application threw an error which contained Internal Path of the application where it has been hosted.
The vulnerability is still not fixed.
REFERENCE LINKS
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12990
https://nvd.nist.gov/vuln/detail/CVE-2018-12990
https://twitter.com/CVEnew/status/1013067248821587973
https://github.com/slackero/phpwcms/issues/243
DISCLOSURE DATELINES
23 October 2017 at 23:49 - Report send.
30 October 2017 at 11:10 - First reminder send.
22 February 2018 at 22:04 - Second reminder send and asked for disclosure.
22 February 2018 at 22:55 - Received the reply from the developer and he agreed for the disclosure and told that he will take some time for patching the same.
22 February 2018 at 23:07 - I replied saying that will wait for the finding to get fixed and asked for the timelines.
22 February 2018 at 23:11 - Received the reply from the developer and he told that he will be fixing it by end of April 2018.
22 February 2018 at 23:16 - Agreed on the developers reply and waited for the fix..
27 April 2018 at 15:50 - Send the reminder to developer asking for the status of the vulnerability if it was fixed.
29 April 2018 at 16:58 - Received the reply from the developer and he updated me saying that he will be fixing the vulnerability by mid of may.
29 April 2018 at 17:15 - Agreed on the developers reply and waited for the fix.
21 May 2018 at 14:22 - Send the reminder to developer asking for the status of the vulnerability if it was fixed.
01 June 2018 at 00:23 - Send the reminder to developer asking for the status of the vulnerability if it was fixed.
09 June 2018 at 19:01 - Send the reminder to developer asking for the status of the vulnerability if it was fixed.
28 June 2018 at 20:53 - Send the reminder to developer asking for the status of the vulnerability if it was fixed and intimated about full disclosure.
28 June 2018 at 21:31 - Request for the CVE ID to CVE Mitre.
29 June 2018 at 15:34 - CVE ID Received (CVE-2018-12990).
Thanks for reading the post.
Special Thanks to all my friends who helped / supported / motivated me for writing blogs. 🙏
INTRODUCTION
The purpose of this post is to let you know how I managed to get one more CVE. Throughout this post, I will give you relevant examples/screenshots that demonstrates how I ended up finding the vulnerability.
Alright, lets plunge into the Proof-Of-Concept !
PATH OF EXPLORATION
After submitting the first vulnerability (Stored Cross Site Scripting) to the developer for phpwcms application I continued to test further for finding more vulnerability. While testing I saw that CSRF Token was submitted in all the request. I tried to tamper with the parameter which contained the CSRF Token and found that the application throws an error which discloses the Internal Path of the application where it has been hosted.
THE MOST AWAITED DEEP DIVE POC
1) While submitting the profile page request I saw that the application passes one parameter (csrf_token_value) which as per the name suggest contains the csrf token as you can refer the below screenshot.
The CSRF Token was passed on mostly all pages in the application.
2) I modified the last 2 numbers of csrf_token_value parameter and submitted the request to check if it validates the token.
3) After submitting the request application threw an error which contained Internal Path of the application where it has been hosted.
The vulnerability is still not fixed.
REFERENCE LINKS
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12990
https://nvd.nist.gov/vuln/detail/CVE-2018-12990
https://twitter.com/CVEnew/status/1013067248821587973
https://github.com/slackero/phpwcms/issues/243
DISCLOSURE DATELINES
23 October 2017 at 23:49 - Report send.
30 October 2017 at 11:10 - First reminder send.
22 February 2018 at 22:04 - Second reminder send and asked for disclosure.
22 February 2018 at 22:55 - Received the reply from the developer and he agreed for the disclosure and told that he will take some time for patching the same.
22 February 2018 at 23:07 - I replied saying that will wait for the finding to get fixed and asked for the timelines.
22 February 2018 at 23:11 - Received the reply from the developer and he told that he will be fixing it by end of April 2018.
22 February 2018 at 23:16 - Agreed on the developers reply and waited for the fix..
27 April 2018 at 15:50 - Send the reminder to developer asking for the status of the vulnerability if it was fixed.
29 April 2018 at 16:58 - Received the reply from the developer and he updated me saying that he will be fixing the vulnerability by mid of may.
29 April 2018 at 17:15 - Agreed on the developers reply and waited for the fix.
21 May 2018 at 14:22 - Send the reminder to developer asking for the status of the vulnerability if it was fixed.
01 June 2018 at 00:23 - Send the reminder to developer asking for the status of the vulnerability if it was fixed.
09 June 2018 at 19:01 - Send the reminder to developer asking for the status of the vulnerability if it was fixed.
28 June 2018 at 20:53 - Send the reminder to developer asking for the status of the vulnerability if it was fixed and intimated about full disclosure.
28 June 2018 at 21:31 - Request for the CVE ID to CVE Mitre.
29 June 2018 at 15:34 - CVE ID Received (CVE-2018-12990).
Thanks for reading the post.
Special Thanks to all my friends who helped / supported / motivated me for writing blogs. 🙏
Comments
Post a Comment