jmd-cms - Multiple Vulnerabilities

2010-09-19T00:00:00
ID EDB-ID:15044
Type exploitdb
Reporter Abysssec
Modified 2010-09-19T00:00:00

Description

MOAUB #19 - JMD-CMS Multiple Remote Vulnerabilities. Webapps exploit for asp platform

                                        
                                            '''
  __  __  ____         _    _ ____  
 |  \/  |/ __ \   /\  | |  | |  _ \ 
 | \  / | |  | | /  \ | |  | | |_) |
 | |\/| | |  | |/ /\ \| |  | |  _ < 
 | |  | | |__| / ____ \ |__| | |_) |
 |_|  |_|\____/_/    \_\____/|____/ 

http://www.exploit-db.com/moaub-19-jmd-cms-multiple-remote-vulnerabilities/

'''

Abysssec Inc Public Advisory
 
 
  Title            :  JMD-CMS Multiple  Remote Vulnerabilities
  Affected Version :  JMD-CMS Alpha 3.0.0.9
  Discovery        :  www.abysssec.com
  Vendor	   :  http://www.jmdcms.com/

  Download Links   :  http://jmdcms.codeplex.com/releases/view/6674		      

  Dork		   :  "powered by jmdcms.com"
		      

  Admin Page       :  http://localhost/jmdcms/Login.aspx
  
 
Description :
===========================================================================================      
  This version of JMD-CMS(JMD-CMS Alpha 3.0.0.9) have Multiple Valnerabilities : 

        1- Upload arbitrary file with FCKEditor 
	2- Persistent XSS



1) Upload arbitrary file with FCKEditor:
===========================================================================================     

  With this vulnerability you can upload any file with this Link:

        http://localhost/jmdcms/FCKeditor/editor/fckeditor.html
or      http://localhost/jmdcms/FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/aspx/connector.aspx
  
  your files will be in this path:

        http://localhost/UserFiles/Image/



2) Persistent XSS Vulnerabilities:
===========================================================================================     

  1-In this path you can see a persistent XSS Valnerability in Caption field:
     (this page is accessible for Admin)

	http://localhost/jmdcms/addPage.aspx?Parent_Page=default

Vulnerable Code:
	In App_Web_25otrp1v.dll  --->  Modules_Admin_AddPage Class

        ////////////////////////////////////////////
	public void SavePage(string URI)
	...
	..	
	.
	this.Page_Name.Text = this.Page_Name.Text.Replace("~", "-");
        try
        {
        	server.JMD_PAGE_SAVE(this.Page_Id.Value, Util.SiteURL(URI), this.Page_Name.Text, this.Page_Caption.Text, this.Meta_Title.Text, this.Meta_Desc.Text, this.Meta_Keywords.Text, this.Parent_Page_Name.Text, str, str2, str3, this.CBLToString(this.View_Roles), this.CBLToString(this.Add_Roles), this.CBLToString(this.Edit_Roles), this.CBLToString(this.Delete_Roles), this.CBLToString(this.Move_Roles), this.CBLToString(this.Add_Module_Roles), "0", str4, this.Page_Sort.Text, str5);
        	...    
        }
	////////////////////////////////////////////

      As you can see No Sanitizasion for Value: this.Page_Caption.Text
      For example Caption can be: <script>alert(document.cookie)</script>             
	

   2- In Register Page :
	http://localhost/jmdcms/NewUser.aspx

      Code:
	In App_Web_25otrp1v.dll  --->  Modules_Core_NewUser class
        
	////////////////////////////////////////////
	public bool SaveUser()
	...
	..	
	.		
        try
        {
                server.JMD_USER_INSERT(this.User_Id.Value, Util.SiteURL(base.Request.QueryString["Pg"].ToString()), this.User_Name.Text, this.User_Display_Name.Text, str, salt, this.Email.Text);
         	...    
        }
	////////////////////////////////////////////
        
      No Sanitization for Values.
      For Example you can enter this values in Register Page: (This field  is limited to 50 Character)

      UserID      = user<script>alert(document.cookie)</script>    
      DisplayName = user<script>alert(document.cookie)</script>    
      Password    = user
      Email 	  = ur@yah.com<script>alert(document.cookie)</script>

      and when Admin see this page, your script will be run.
	http://localhost/jmdcms/Users.aspx

===========================================================================================