JAF-CMS 4.0_RC_2 Cross Site Scripting

2011-01-10T00:00:00
ID PACKETSTORM:97376
Type packetstorm
Reporter Akastep
Modified 2011-01-10T00:00:00

Description

                                        
                                            `# Exploit Title: [Persistent Cross Site Scripting Vulnerability In JAF-CMS ver 4.0_RC_2]  
# Google Dork: [Site engine powered by JAF-CMS]  
# Date: [9 January 2011]   
# Author: Akastep  
# Software Link: http://jaf-cms.sourceforge.net/   
# Version: JAF-CMS ver 4.0_RC_2 (may be vuln exist in older versions too)  
# Tested on: FreeBSD 7.1-PRERELEASE ~~~ PHP Version 5.2.11 ~~ JAF-CMS ver 4.0_RC_2  
  
  
####################################################################################  
JAF CMS - ...just another flat file CMS, is a Content Management System (CMS) consist  
of a powerful set of PHP scripts that allow you to maintain personal home page in an   
easy way. There is no need for a database. The pages stored in a simple flat file.  
http://jaf-cms.sourceforge.net/   
####################################################################################  
  
Persistent Cross Site scripting Vulnerability exist in JAF-CMS ver 4.0_RC_2 (s) forum section:  
Attacker using this vulnerability can compromise site.  
He/She can deface site or can steal admin cookie credentials and then using stealed cookie + Minibrowser   
login to system as admin. :(  
Exploitation:  
Go to JAF-CMS Forum section:  
For example:  
ht*p://127.0.0.1/index.php?page=forum  
Open new thread and just simply inject your evil javascript scenario fox ex:  
<script>alert(document.cookie);</script>  
in body of will created topic and post the topic.  
So after this try to access that topic.XSS will occur.  
  
More dangerious fact in this vulnerability is that:  
If site admin was logined to his 'box' using:  
ht*p://127.0.0.1/admin/ <=page   
and if he will try to access using => Administration panel=>Mod Manager =>Forum ( Topic manahement Section )  
ht*p://127.0.0.1/admin/forum.php Cookies will be stealed automatically.) This means no need using hard Social Engeneering methods in this vulnerability.  
  
Print screen of successfull attack result can be found here:  
http://qovluq.biz/uploads/sh1.png  
  
  
  
/AkaStep  
  
4:36 09.01.2011  
  
  
  
WwW.AzHACk.CoM  
WwW.PiRaTes-CrEw.org  
WwW.AzDeFaCeRs.Org  
  
Azerbaycana Atesli Salamlarrrrrrr)  
  
####################################################################################  
Allahu Akbar!  
####################################################################################  
  
  
  
`