Title: ZeewaysCMS Multiple Vulnerabilities
Advisory ID: ZSL-2016-5319
Type: Local/Remote
Impact: Cross-Site Scripting, Exposure of System Information, Exposure of Sensitive Information
Risk: (3/5)
Release Date: 06.05.2016

Summary

ZeewaysCMS is a Content Management System and a complete Web & Mobile Solution developed by Zeeways for Corporates, Individuals or any kind of Business needs.

Description

ZeewaysCMS suffers from a file inclusion vulnerability (LFI) when encoded input passed thru the 'targeturl' GET parameter is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks. Multiple cross-site scripting vulnerabilities were also discovered. The issue is triggered when input passed via multiple parameters is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Vendor

Zeeways - http://www.zeewayscms.com

Affected Version

unknown

Tested On

Apache/2.2.27
PHP/5.4.28

Vendor Status

[25.03.2016] Vulnerability discovered.
[25.03.2016] Vendor contacted.
[29.03.2016] Follow up with the vendor.
[29.03.2016] Vendor responded asking for details.
[29.03.2016] Advisory and details sent to the vendor.
[06.04.2016] Follow up with the vendor. No response received.
[06.05.2016] Public security advisory released.

PoC

zeewayscms_mv.txt

Credits

Vulnerability discovered by Bikramaditya Guha - <bik@zeroscience.mk>

References

[1] https://cxsecurity.com/issue/WLB-2016050029
[2] https://www.exploit-db.com/exploits/39784/
[3] https://packetstormsecurity.com/files/137000
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/113130
[5] https://exchange.xforce.ibmcloud.com/vulnerabilities/113133

Changelog

[06.05.2016] - Initial release
[21.05.2016] - Added reference [1], [2], [3], [4] and [5]

Contact

Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk