CompactCMS 1.4.1 – Multiple Vulnerabilities

• Exploit Database
• 10 阅读

• 作者： Patrick de Brouwer
  日期： 2011-01-15
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/15996/

• # Exploit Title: CompactCMS 1.4.1 Multiple Vulnerabilities
  # Google Dork: 	 intext:"Maintained with CompactCMS.nl" intitle:"Print: *"
  # Date:17-12-2010
  # Author:NLSecurity
  # Software Link: http://files.compactcms.nl/stable/
  # Version: CompactCMS 1.4.1
  # Credits: http://www.nlsecurity.org/
  # Extra: irc.6667.eu#main
  
  Description:
  
  CompactCMS 1.4.1 has multiple XSS and File Disclosure vulnerabilities. These file disclosures will
  appear if the users have access to view open directories.
  
  --- File Disclosures ---
  
  /admin/includes/modules/backup-restore/
  /admin/includes/modules/backup-restore/content-owners/
  /admin/includes/modules/backup-restore/module-management/
  /admin/includes/modules/backup-restore/permissions/
  /admin/includes/modules/backup-restore/template-editor/
  /admin/includes/modules/backup-restore/user-management/
  
  /admin/includes/fancyupload/
  /admin/includes/fancyupload/Assets/
  /admin/includes/fancyupload/Assets/Icons/
  
  /admin/includes/fancyupload/Backend/
  /admin/includes/fancyupload/Backend/Assets/
  /admin/includes/fancyupload/Backend/Assets/getid3/
  
  /admin/includes/fancyupload/Language/
  /admin/includes/fancyupload/Source/
  /admin/includes/fancyupload/Source/Uploader/
  
  /admin/includes/edit_area/
  /admin/includes/edit_area/images/
  /admin/includes/edit_area/langs/
  /admin/includes/edit_area/reg_syntax/
  
  /admin/img/mochaui/
  /admin/img/styles/
  /admin/img/uploader/
  
  /_docs/
  
  ... Perhaps more, but this should give an idea. :-)
  
  --- Cross-Site Scripting Vulnerabilities (XSS) ---
  
  /afdrukken.php?page=">[XSS]
  
  This can be found on line 48:
  <strong><a href="https://www.exploit-db.com/exploits/15996/<?php echo $ccms['rootdir'];?><?php echo ($_GET['page']!=$cfg['homepage'])?$_GET['page'].'.html':null; ?>"><?php echo $ccms['lang']['system']['tooriginal']; ?></a></strong>
  Vuln: $_GET['page']
  
  ---
  
  /admin/includes/modules/permissions/permissions.Manage.php?status=notice&msg=[XSS]
  
  This can be found on line 62:
  <?php if(isset($_GET['msg'])) { echo '<span class="ss_sprite ss_confirm">'.$_GET['msg'].'</span>'; } ?>
  Vuln: $_GET['msg']
  
  ---
  
  /lib/includes/auth.inc.php
  Username input field (userName) has an XSS vulnerability when using POST data.
  
  This can be found on line 119:
  <label for="userName"><?php echo $ccms['lang']['login']['username']; ?></label><input type="text" class="alt title" autofocus placeholder="username" name="userName" style="width:300px;" value="<?php echo (!empty($_POST['userName'])?$_POST['userName']:null);?>" id="userName" />
  Vuln: $_POST['userName']