Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

jmd-cms - Multiple Vulnerabilities

🗓️ 19 Sep 2010 00:00:00Reported by AbysssecType 
exploitpack
 exploitpack👁 21 Views

JMD-CMS Alpha 3.0.0.9 Multiple Remote Vulnerabilities, including file upload and persistent XS

Code
'''
  __  __  ____         _    _ ____  
 |  \/  |/ __ \   /\  | |  | |  _ \ 
 | \  / | |  | | /  \ | |  | | |_) |
 | |\/| | |  | |/ /\ \| |  | |  _ < 
 | |  | | |__| / ____ \ |__| | |_) |
 |_|  |_|\____/_/    \_\____/|____/ 

http://www.exploit-db.com/moaub-19-jmd-cms-multiple-remote-vulnerabilities/

'''

Abysssec Inc Public Advisory
 
 
  Title            :  JMD-CMS Multiple  Remote Vulnerabilities
  Affected Version :  JMD-CMS Alpha 3.0.0.9
  Discovery        :  www.abysssec.com
  Vendor	   :  http://www.jmdcms.com/

  Download Links   :  http://jmdcms.codeplex.com/releases/view/6674		      

  Dork		   :  "powered by jmdcms.com"
		      

  Admin Page       :  http://localhost/jmdcms/Login.aspx
  
 
Description :
===========================================================================================      
  This version of JMD-CMS(JMD-CMS Alpha 3.0.0.9) have Multiple Valnerabilities : 

        1- Upload arbitrary file with FCKEditor 
	2- Persistent XSS



1) Upload arbitrary file with FCKEditor:
===========================================================================================     

  With this vulnerability you can upload any file with this Link:

        http://localhost/jmdcms/FCKeditor/editor/fckeditor.html
or      http://localhost/jmdcms/FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/aspx/connector.aspx
  
  your files will be in this path:

        http://localhost/UserFiles/Image/



2) Persistent XSS Vulnerabilities:
===========================================================================================     

  1-In this path you can see a persistent XSS Valnerability in Caption field:
     (this page is accessible for Admin)

	http://localhost/jmdcms/addPage.aspx?Parent_Page=default

Vulnerable Code:
	In App_Web_25otrp1v.dll  --->  Modules_Admin_AddPage Class

        ////////////////////////////////////////////
	public void SavePage(string URI)
	...
	..	
	.
	this.Page_Name.Text = this.Page_Name.Text.Replace("~", "-");
        try
        {
        	server.JMD_PAGE_SAVE(this.Page_Id.Value, Util.SiteURL(URI), this.Page_Name.Text, this.Page_Caption.Text, this.Meta_Title.Text, this.Meta_Desc.Text, this.Meta_Keywords.Text, this.Parent_Page_Name.Text, str, str2, str3, this.CBLToString(this.View_Roles), this.CBLToString(this.Add_Roles), this.CBLToString(this.Edit_Roles), this.CBLToString(this.Delete_Roles), this.CBLToString(this.Move_Roles), this.CBLToString(this.Add_Module_Roles), "0", str4, this.Page_Sort.Text, str5);
        	...    
        }
	////////////////////////////////////////////

      As you can see No Sanitizasion for Value: this.Page_Caption.Text
      For example Caption can be: <script>alert(document.cookie)</script>             
	

   2- In Register Page :
	http://localhost/jmdcms/NewUser.aspx

      Code:
	In App_Web_25otrp1v.dll  --->  Modules_Core_NewUser class
        
	////////////////////////////////////////////
	public bool SaveUser()
	...
	..	
	.		
        try
        {
                server.JMD_USER_INSERT(this.User_Id.Value, Util.SiteURL(base.Request.QueryString["Pg"].ToString()), this.User_Name.Text, this.User_Display_Name.Text, str, salt, this.Email.Text);
         	...    
        }
	////////////////////////////////////////////
        
      No Sanitization for Values.
      For Example you can enter this values in Register Page: (This field  is limited to 50 Character)

      UserID      = user<script>alert(document.cookie)</script>    
      DisplayName = user<script>alert(document.cookie)</script>    
      Password    = user
      Email 	  = [email protected]<script>alert(document.cookie)</script>

      and when Admin see this page, your script will be run.
	http://localhost/jmdcms/Users.aspx

===========================================================================================

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
19 Sep 2010 00:00Current
0.3Low risk
Vulners AI Score0.3
jmd-cmsalpha 3.0.0.9remote vulnerabilitiesfile uploadpersistent xssfckeditoradmin pageregister page
21