jmd-cms – Multiple Vulnerabilities

  • 作者: Abysssec
    日期: 2010-09-19
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/15044/
  • '''
________ __ ____
 |\/|/ __ \ /\| || |_ \ 
 | \/ | || | /\ | || | |_) |
 | |\/| | || |/ /\ \| || |_ < 
 | || | |__| / ____ \ |__| | |_) |
 |_||_|\____/_/\_\____/|____/ 

http://www.exploit-db.com/moaub-19-jmd-cms-multiple-remote-vulnerabilities/

'''

Abysssec Inc Public Advisory
 
 
Title:JMD-CMS MultipleRemote Vulnerabilities
Affected Version :JMD-CMS Alpha 3.0.0.9
Discovery:www.abysssec.com
Vendor	 :http://www.jmdcms.com/

Download Links :http://jmdcms.codeplex.com/releases/view/6674		

Dork		 :"powered by jmdcms.com"
		

Admin Page :http://localhost/jmdcms/Login.aspx

 
Description :
===========================================================================================
This version of JMD-CMS(JMD-CMS Alpha 3.0.0.9) have Multiple Valnerabilities : 

1- Upload arbitrary file with FCKEditor 
	2- Persistent XSS



1) Upload arbitrary file with FCKEditor:
=========================================================================================== 

With this vulnerability you can upload any file with this Link:

http://localhost/jmdcms/FCKeditor/editor/fckeditor.html
orhttp://localhost/jmdcms/FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/aspx/connector.aspx

your files will be in this path:

http://localhost/UserFiles/Image/



2) Persistent XSS Vulnerabilities:
=========================================================================================== 

1-In this path you can see a persistent XSS Valnerability in Caption field:
 (this page is accessible for Admin)

	http://localhost/jmdcms/addPage.aspx?Parent_Page=default

Vulnerable Code:
	In App_Web_25otrp1v.dll--->Modules_Admin_AddPage Class

////////////////////////////////////////////
	public void SavePage(string URI)
	...
	..	
	.
	this.Page_Name.Text = this.Page_Name.Text.Replace("~", "-");
try
{
	server.JMD_PAGE_SAVE(this.Page_Id.Value, Util.SiteURL(URI), this.Page_Name.Text, this.Page_Caption.Text, this.Meta_Title.Text, this.Meta_Desc.Text, this.Meta_Keywords.Text, this.Parent_Page_Name.Text, str, str2, str3, this.CBLToString(this.View_Roles), this.CBLToString(this.Add_Roles), this.CBLToString(this.Edit_Roles), this.CBLToString(this.Delete_Roles), this.CBLToString(this.Move_Roles), this.CBLToString(this.Add_Module_Roles), "0", str4, this.Page_Sort.Text, str5);
	...
}
	////////////////////////////////////////////

As you can see No Sanitizasion for Value: this.Page_Caption.Text
For example Caption can be: <script>alert(document.cookie)</script> 
	

 2- In Register Page :
	http://localhost/jmdcms/NewUser.aspx

Code:
	In App_Web_25otrp1v.dll--->Modules_Core_NewUser class

	////////////////////////////////////////////
	public bool SaveUser()
	...
	..	
	.		
try
{
server.JMD_USER_INSERT(this.User_Id.Value, Util.SiteURL(base.Request.QueryString["Pg"].ToString()), this.User_Name.Text, this.User_Display_Name.Text, str, salt, this.Email.Text);
 	...
}
	////////////////////////////////////////////

No Sanitization for Values.
For Example you can enter this values in Register Page: (This fieldis limited to 50 Character)

UserID= user<script>alert(document.cookie)</script>
DisplayName = user<script>alert(document.cookie)</script>
Password= user
Email 	= ur@yah.com<script>alert(document.cookie)</script>

and when Admin see this page, your script will be run.
	http://localhost/jmdcms/Users.aspx

===========================================================================================