=============================== - Advisory - =============================== Tittle: CM3 AcoraCMS - Several Vulnerabilities Risk: Medium Date: 12.Sept.2012 Author: Pedro Andujar Twitter: @pandujar .: [ INTRO ] :. Acora CMS is a sleek and powerful off-the-shelf content management application coupled with a deep and extensible advanced website development framework at a killer price. This home grown product is one of DDSN's key differentiators. It's in use by many high profile clients, but easily scales down for smaller websites too. AcoraCMS is widely used accross Austalian IT companies, Banks and government websites. .: [ TECHNICAL DESCRIPTION ] :. AcoraCMS, v6.0.6/1a, v6.0.2/1a, v5.5.7/12b, v5.5.0/1b-p1 (and probably others), are prone to several security issues as described below; .: [ ISSUE #1 }:. Name: Reflected Cross Site Scripting Severity: Medium CVE: CVE-2013-4722 Due to lack of input validation and output escaping in the default.asp page, parameters such username, url, qstr, etc. can be used by an attacker to perform XSS attacks. Example: /AcoraCMS/Admin/login/default.asp?username="</div><script>alert(document.cookie)</script> /AcoraCMS/Admin/login/default.asp?url="</form><META HTTP-EQUIV=Refresh CONTENT="0; URL=http://www.google.es"> .: [ ISSUE #2 }:. Name: URL Redirect Severity Medium CVE: CVE-2013-4723 URL redirection functionality doesn't verify that VirtualPath are relatives. Example: /AcoraCMS/track.aspx?m=1&l=//www.google.es .: [ ISSUE #3 }:. Name: Username and password sent in clear text Severity: Medium Authentication credentials (username and password) and session cookies are unencrypted. .: [ ISSUE #4 }:. Name: Cookie Lack of Hardening Severity: Low CVE: CVE-2013-4724 & CVE-2013-4725 Cookies are not hardened using HttpOnly or Secure flags. .: [ ISSUE #5 }:. Name: XSRF Severity: Low CVE: CVE-2013-4726 The application lacks controls to prevent Cross Site Request Forgery. .: [ ISSUE #6 }:. Name: Information Leaks Severity: Low CVE: CVE-2013-4727 & CVE-2013-4728 * Unauthenticated users are able to retrive _viewstate encoded base64 information. /AcoraCMS/Admin/top.aspx <input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUKLTQ4NjIxMDUxOQ9kFgJmD2QWAgIDD2QWAgIBD2QWCmYPFgIeBFRleHQFJERpZ2l0YWxTZWMgTmV0d29ya3MgV2 Vic2l0ZWQCAQ8WAh8ABQpFbnRlcnByaXNlZAICDw8WAh8ABQt2NS40LjUvNGEtY2RkAgMPFgIfAAUgQW5vbnltb3VzIChQdWJsaWM gSW50ZXJuZXQgVXNlcilkAgQPDxYCHgdWaXNpYmxlaGRkZIL9u8OSlqqnBHGwtssOBV5lciAoCg" /> </div> Once decoded gives you information about the version and license including the company who owns the license, it could be used for fingerprinting the application: -486210519 d f d d d f Text $DigitalSec Networks Websited Enterprised v5.4.5/4a-cdd Anonymous (Public Internet User)d Visiblehddd&#195;q ^er ( * Application Physical Path exposed to unauthenticated users /AcoraCMS/track.aspx?m=1&l=..\.. Exception Details: System.Web.HttpException: Cannot use a leading .. to exit above the top directory. Source File: d:\Path\to\site\AcoraCMS\track.aspx.cs Line: 57 .: [ CHANGELOG ] :. * 12/Sep/2012: - Vulnerability discovered. * 27/May/2013: - Vendor contacted. No response * 19/Aug/2013: - Vendor recontacted. No response * 26/Aug/2013: - Public .: [ SOLUTIONS ] :. N/A .: [ REFERENCES ] :. [+] Acora CMS http://www.ddsn.com/knowledge-base/cm3-acora-cms.aspx [+] Clients & Projects http://www.ddsn.com/portfolio/clients.aspx [+] CM3CMS http://www.cm3cms.com/ [+] !dSR - Digital Security Research http://www.digitalsec.net/ -=EOF=-