ZeewaysCMS Multiple Vulnerabilities

Title: ZeewaysCMS Multiple Vulnerabilities
Advisory ID: ZSL-2016-5319
Type: Local/Remote
Impact: Cross-Site Scripting, Exposure of System Information, Exposure of Sensitive Information
Risk: (3/5)
Release Date: 06.05.2016
Summary
ZeewaysCMS is a Content Management System and a complete Web & Mobile Solution developed by Zeeways for Corporates, Individuals or any kind of Business needs.
Description
ZeewaysCMS suffers from a file inclusion vulnerability (LFI) when encoded input passed thru the 'targeturl' GET parameter is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks. Multiple cross-site scripting vulnerabilities were also discovered. The issue is triggered when input passed via multiple parameters is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Vendor
Zeeways - http://www.zeewayscms.com
Affected Version
unknown
Tested On
Apache/2.2.27
PHP/5.4.28
Vendor Status
[25.03.2016] Vulnerability discovered.
[25.03.2016] Vendor contacted.
[29.03.2016] Follow up with the vendor.
[29.03.2016] Vendor responded asking for details.
[29.03.2016] Advisory and details sent to the vendor.
[06.04.2016] Follow up with the vendor. No response received.
[06.05.2016] Public security advisory released.
PoC
zeewayscms_mv.txt
Credits
Vulnerability discovered by Bikramaditya Guha - <bik@zeroscience.mk>
References
[1] https://cxsecurity.com/issue/WLB-2016050029
[2] https://www.exploit-db.com/exploits/39784/
[3] https://packetstormsecurity.com/files/137000
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/113130
[5] https://exchange.xforce.ibmcloud.com/vulnerabilities/113133
Changelog
[06.05.2016] - Initial release
[21.05.2016] - Added reference [1], [2], [3], [4] and [5]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk