High-Tech Bridge SA Security Research Lab has discovered three vulnerabilities in AneCMS which could be exploited to perform cross-site scripting and script insertion attacks and execute arbitrary SQL commands in application`s database.
Cross-site scripting (XSS) vulnerability in AneCMS
The vulnerability exists due to input sanitation error in the “descr” parameter in acp/pages/cfg.php. A remote attacker can send a specially crafted HTTP POST request to the vulnerable script and execute arbitrary HTML and script code in user`s browser in context of the vulnerable website.
Exploitation example:
<form action=“http://demo.anecms.com/acp/?p=cfg&m=smod” method=“post” name=“main” >
<input type=“hidden” name=“title” value=“ANE CMS” />
<input type=“hidden” name=“descr” value=‘A New Era of CMS DEMO "><script>alert(document.cookie)</script>’ />
<input type=“hidden” name=“language” value=“it” />
<input type=“hidden” name=“url_base” value=“http://demo.anecms.com/” />
</form>
<script>
document.main.submit();
</script>
Script insertion vulnerability in AneCMS: CVE-2010-2437
Input passed to the “comment” field is not properly sanitized before being stored in modules/blog/index.php. A remote attacker can insert arbitrary HTML and script code, which will be executed in user`s browser in context of the vulnerable website when user views the malicious data.
Exploitation example:
To exploit this vulnerability fill in the comment field with the following text:
hello <script>alert(document.cookie)</script>
SQL injection vulnerability in AneCMS: CVE-2010-2436
The vulnerability exists due to input sanitation error in URL in the modules/blog/index.php script. A remote attacker can send a specially crafted HTTP GET request to the vulnerable script and execute arbitrary SQL commands in application`s database. Successful exploitation may allow an attacker to read, modify, add or delete arbitrary data in the database.
Exploitation example:
http://host/blog/1+ANY_SQL_CODE_HERE/Demo_of_ANE_CMS#comment-63