Anchor v0.6-0.4 CMS - Persistent Web Vulnerability

Document Title:
===============
Anchor v0.6-0.4 CMS - Persistent Web Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=453


Release Date:
=============
2012-02-28


Vulnerability Laboratory ID (VL-ID):
====================================
453


Product & Service Introduction:
===============================
Anchor is a content management system, built especially for art-directed blogs.

Intuitively-built
Anchor aims to take away any of the extra pains you may recieve from using software. Don’t know when 
to upgrade? Anchor lets you know. Want to add custom metadata? You got it.

Bug-free
As is the constantly-developing nature of open-source software, any bugs that get found in Anchor are 
fixed as soon as they’re spotted. There may be bugs, but they’ll get fixed.

A global community
Anchor has users and contributors from all around the world, who all do their part to help make Anchor 
one of the best-maintained open-source projects on the internet.

Super-simple theming
If you’ve ever used WordPress, you’ll be able to theme Anchor within minutes. Even if you haven’t, it’s 
not a problem; you only need a basic knowledge of PHP to create powerful themes.

A teeny-tiny footprint
Unlike the majority of behemoth systems out there, Anchor weighs in at a minuscule 200kb, uncompressed; when 
zipped, it’s only 155kb — that’s the same size as a normal JPEG image.

Aesthetically-gifted
Anchor has been professionally-designed to ensure a nice, easy experience. Both the administration area and 
the site have a well-built design that’s easily extensible.


(Copy of the Vendor Homepage: http://anchorcms.com/features)


Abstract Advisory Information:
==============================
Vulnerability-Lab Team  discovered a persistent web vulnerabiliy on Anchors v0.6-0.4 Content Management System.


Vulnerability Disclosure Timeline:
==================================
2012-02-22:	Public or Non-Public Disclosure


Discovery Status:
=================
Published


Affected Product(s):
====================
Anchor
Product: Content Management System 0.6-4-g3e6a0ae


Exploitation Technique:
=======================
Remote


Severity Level:
===============
High


Technical Details & Description:
================================
A persistent input validation vulnerability is detected Anchors v0.6-0.4 Content Management System. The bug allows 
remote attackers to implement/inject malicious script code on the application-side (persistent). The bug is located 
on the username input & output listing for administrators. Successful exploitation of the vulnerability allows remote 
attackers or local privileged user accounts to manipulate modules/context (persistent) & can result in account steal 
via session hijacking (user/mod/admin).


Vulnerable Module(s):
							[+] Username Input/Output & Listing


Picture(s):
							../1.png
							../2.png
							../3.png


Proof of Concept (PoC):
=======================
The vulnerability can be exploited by remote attackers with medium required user inter action or via local 
low privileged user account & low required user inter action. For demonstration or reproduce ...


<h1 xmlns="http://www.w3.org/1999/xhtml">Editing "><iframe h1="" profile<="" <’s="" [PERSISTEN SCRIPT CODE HERE!]' src="a">
<section class="content">

	<form method="post" action="/anchorcms/admin/users/edit/2" novalidate autocomplete="off">
		<fieldset>
			<p>
    			<label for="real_name">Real name:</label>
    			<input id="real_name" name="real_name" value=""><[PERSISTEN SCRIPT CODE HERE!] <">
    			
    			<em>The user’s real name. Used in author bylines (visible to public).</em>
    		</p>


... or the affected user listing =>

<ul xmlns="http://www.w3.org/1999/xhtml" class="list">
	    	    <li>
	        <a href="/anchorcms/admin/users/edit/1">
	            <strong>Administrator</strong>
	            <span>Username: admin</span>
	            
	            <i class="role">Administrator</i>
	        </a>

	    </li>
	    	    <li>
	        <a href="/anchorcms/admin/users/edit/2">
	            <strong>"><iframe strong="" <<="" [PERSISTEN SCRIPT CODE HERE!]' src="a">
	            <span>Username: "><[PERSISTEN SCRIPT CODE HERE!] <</span>
	            
	            <i class="role">Administrator</i>
	        </a>
	    </li>
	    	</ul>
</section>


Reference(s):
				../user.edit.dat
				../user-edit.txt
				../listing.txt


Solution - Fix & Patch:
=======================
1. Restrict the username input fields and parse it via secure exception-handling. 
2. Parse the output username listing to patch the issue.


Security Risk:
==============
The security risk of the persistent web vulnerability is estimated as medium(+).


Credits & Authors:
==================
Vulnerability Research Laboratory   -   N/A   Anonymous


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.vulnerability-lab.com/register
Contact:    [email protected] 	- [email protected] 	       - [email protected]
Section:    video.vulnerability-lab.com 	- forum.vulnerability-lab.com 		       - news.vulnerability-lab.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact ([email protected] or [email protected]) to get a permission.

    				   	Copyright © 2012 | Vulnerability Laboratory