During a quick trial security assessment (not fully tested) of Crea8Social Social Network Script our team at Seekurity.com SAS de C.V. identified several severe Cross-Site Scripting Vulnerabilities in the platform that been widely used on the internet to create your own social network website (BTW this script used in the alleged new Egyptian Facebook named as EgFace.com). Our team responsibly contacted the vendor of the script but we got no answer and based on our Seekurity responsible disclosure rules which is a 90-day-disclosure-deadline or NON-Responsive vendor the bug details became visible to the public through our official communication channels.
[-] Product Description:
Crea8Social is the leading social networking software that helps you build your own custom online community.
[-] Vulnerability Type:
Multiple Cross-Site Scripting Vulnerabilities (Stored and Reflected)
[-] Impact and more info:
[-] Version affected:
Crea8Social Social Network Script – Pro and Business
[-] Test Performed:
Quick Trial Security Assessment (not fully tested)
[-] Vulnerable Request Type:
[-] Vulnerable Module/Parameter/Path:
1. Stored Cross-Site Scripting Vulnerability in Crea8Social Post comments
2. Stored Cross-Site Scripting Vulnerability in Crea8Social User Profile
3. Stored Cross-Site Scripting Vulnerability in Crea8Social Posts
4. Reflected Cross-Site Scripting Vulnerability in Search feature:
[-] Payload used:
[-] Proof of concept Video:
Crea8Social Pro Social Network Script- Stored XSS in Comments (Trial Security Test) from Mohamed A. Baset on Vimeo.
Crea8Social Pro Social Network Script- Stored and Reflected XSS (Sample Test) from Mohamed A. Baset on Vimeo.
[-] Attack Vectors:
– Escalation of Privileges: A normal user can create a bogus (user) account on Crea8Social platform hence hijack the Admin’s account and takeover the whole installation.
– Client Side JS Code Execution: A normal user can create a bogus (user) account on Crea8Social platform with a stored XSS attack vector which will lead to execute JS code on behalf of all the user types passing by the attacker’s public user profile page.
– Information Disclosure: A normal user can create a bogus (user) account on Crea8Social platform with a rough stored XSS attack vector to perform client side js code execution on other users sessions hence steal their session cookie or their private information from their accounts.
[-] Fix Suggestion:
Filter and sanitize all the user supplied inputs.
[-] Product URL(s):
This bug is subject to Seekurity SAS de C.V. responsible disclosure rules which is a 90-day-disclosure-deadline or NON-Responsive vendor. After 90 days elapse, Non-Responsive vendor detection or a patch has been made broadly available, the bug details will become visible to the public through our official communication channels.
A minute if you please!
Building a website, an application or any kind of business? Or already have one? Worried about your security? Think twice before going public and let us protect your business!