Headline
CVE-2023-24737: CVE/PMB at main · AetherBlack/CVE
PMB v7.4.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the query parameter at /admin/convert/export_z3950.php.
To search these vulnerabilities, I use the docker https://github.com/jperon/pmb/ and I simply change the URL in the Dockerfile to match the latest version (7.4.6).
PMB 7.4.6 - Reflected XSS - CVE-XXXX
- Affected version : 7.4.6
- Vulnerability Type : XSS Reflected (Unauthenticated)
- CWE-79
Description
The web app incorrectly neutralizes user-controllable input before it is placed in output. This allows an attacker to make a Reflected XSS on /pmb/admin/convert/export_z3950_new.php and /pmb/admin/convert/export_z3950.php endpoint via the same query parameter.
Exploitation
- Go to http://website.com/pmb/admin/convert/export_z3950_new.php or http://website.com/pmb/admin/convert/export_z3950.php
- Set parameter command to search and query to a JavaScript payload that end by =or (needed to bypass filter).
- Trigger your Reflected XSS: http://website.com/pmb/admin/convert/export_z3950.php?command=search&query=%3Cscript%3Ealert(document.domain);%3C/script%3E=or
PoC
Here is an example with an alert box :
Remediation
Sanitize the query parameter with htlmentities function.
PMB 7.4.6 - SQL Injection - CVE-XXXX
- Affected version : 7.4.6
- Vulnerability Type : SQL Injection (Unauthenticated)
- CWE-89
Description
The web app incorrectly neutralizes user-controllable input before it is placed in an SQL Query. This allows an attacker to make a SQL Injection on /pmb/edit.php endpoint via the user parameter. This SQL Injection can lead to an account takeover if the SESSID cookie of the admin account is extracted.
Exploitation
- Go to http://website.com/pmb/edit.php
- Set parameter action=whatever&dest=TABLEAUCSV and user to your SQL payload %27%20OR%201=1;%23&password=password
- Trigger your SQL Injection: http://website.com/pmb/edit.php?action=whatever&dest=TABLEAUCSV&user=%27%20OR%201=1;%23&password=password
PoC
Here is an example of a simple bypass :
Remediation
Use prepared SQL query.
PMB 7.4.6 - Unrestricted File Upload - CVE-XXXX
- Affected version : 7.4.6
- Vulnerability Type : Unrestricted File Upload (Authenticated)
- CWE-434
Description
The web app allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product’s environment or overwrite configuration files. An attacker can host malicious files (ending with #data-section to make simple the exploitation of the RCE, see the next section).
Exploitation
- Go to http://website.com/pmb/camera_upload.php
- Send a POST request with the parameters upload_filename that is the name of the file you want to upload and imgBase64 the file content to upload.
- To bypass the filter in place (image checking), your file need to starts with GIF89a.
PoC
Here is an example of a file upload :
Remediation
Check the extension of each file. DO NOT trust user input, and generate a random name for each file uploaded.
PMB 7.4.6 - Remote Code Execution - CVE-XXXX
- Affected version : 7.4.6
- Vulnerability Type : XSS Reflected (Authenticated)
- CWE-94
Description
The web app incorrectly neutralizes user-controllable input before it is placed in exec function. This allows an attacker to execute a shell command through the parameter decompress.
Exploitation
- Go to http://website.com/pmb/admin/sauvegarde/restaure_act.php
- filename parameter need to point to a file that ends with #data-section. The web app use fopen so it’s possible to pass a URL to this parameter.
- compress parameter need to be 1.
- decompress_type need to be external.
- decompress it’s your shell command. That can the id command.
PoC
Here is an example of a blind RCE :
Remediation
Never trust user input and if possible do not decompress file with any external command that are controlled by user input.
PMB 7.4.6 - Open Redirect - CVE-XXXX
- Affected version : 7.4.6
- Vulnerability Type : Open Redirect (Unauthenticated)
- CWE-601
Description
The web app accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.
Exploitation
- Go to http://website.com/pmb/opac_css/pmb.php
- Set from parameter to empty.
- url parameter to the URL you want to redirect to.
- hash parameter to the md5 of your url parameter.
PoC
Here is an example of an Open Redirect :
Remediation
Check the domain with a whitelist.
PMB 7.4.6 - SQL Injection - CVE-XXXX
- Affected version : 7.4.6
- Vulnerability Type : SQL Injection (Unauthenticated)
- CWE-89
Description
The web app incorrectly neutralizes user-controllable input before it is placed in an SQL Query. This allows an attacker to make a SQL Injection on /pmb/opac_css/export.php endpoint via the notice_id parameter. This SQL Injection can lead to an account takeover if the SESSID cookie of the admin account can be extracted.
Exploitation
- Go to http://website.com/pmb/opac_css/export.php
- Set action parameter to export.
- notice_id parameter need to start by es after that you can add your SQL payload.
PoC
Here is an example of an SQL Injection :
Remediation
Use prepared SQL Query or add simple quote in this specific SQL query.