GeniXCMS v0.0.1 Persistent Script Insertion Vulnerability

2015-03-10T00:00:00
ID ZSL-2015-5233
Type zeroscience
Reporter Gjoko Krstic
Modified 2015-03-10T00:00:00

Description

Title: GeniXCMS v0.0.1 Persistent Script Insertion Vulnerability
Advisory ID: ZSL-2015-5233
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 10.03.2015

Summary

GenixCMS is a PHP Based Content Management System and Framework (CMSF). It's a simple and lightweight of CMSF. Very suitable for Intermediate PHP developer to Advanced Developer. Some manual configurations are needed to make this application to work.

Description

Input passed to the 'cat' POST parameter is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Vendor

MetalGenix - <http://www.genixcms.org>

Affected Version

0.0.1

Tested On

nginx/1.4.6 (Ubuntu)
Apache 2.4.10 (Win32)
PHP 5.6.3
MySQL 5.6.21

Vendor Status

[05.03.2015] Vulnerability discovered.
[05.03.2015] Vendor contacted.
[06.03.2015] Vendor responds asking more details.
[06.03.2015] Sent details to the vendor.
[07.03.2015] Vendor promises fix soon.
[10.03.2015] Vendor releases patched version.
[10.03.2015] Public security advisory released.

PoC

genixcms_xss.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <http://blog.metalgenix.com/update-security-fix-and-add-newsletter-module/16>
[2] <https://github.com/semplon/GeniXCMS/commit/698245488343396185b1b49e7482ee5b25541815>
[3] <http://www.exploit-db.com/exploits/36321/>
[4] <http://osvdb.org/show/osvdb/119394>
[5] <http://osvdb.org/show/osvdb/119395>
[6] <http://cxsecurity.com/issue/WLB-2015030066>
[7] <http://packetstormsecurity.com/files/130771>
[8] <https://exchange.xforce.ibmcloud.com/#/vulnerabilities/101497>
[9] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-2678>
[10] <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2678>

Changelog

[10.03.2015] - Initial release
[11.03.2015] - Added reference [4], [5], [6] and [7]
[13.03.2015] - Added reference [8]
[24.03.2015] - Added reference [9] and [10]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            &lt;html&gt;&lt;head&gt;&lt;title&gt;403 Nothing to see.&lt;/title&gt;
&lt;link rel="Shortcut Icon" href="favicon.ico" type="image/x-icon"&gt;
&lt;style type="text/css"&gt;
&lt;!--
body {
	background-color: #000;
}
body,td,th {
	font-family: Verdana, Geneva, sans-serif;
}
a:link {
	color: #008FEF;
	text-decoration: none;
}
a:visited {
	color: #008FEF;
	text-decoration: none;
}
a:hover {
	text-decoration: underline;
	color: #666;
}
a:active {
	text-decoration: none;
}
--&gt;
&lt;/style&gt;
&lt;/head&gt;
&lt;body bgcolor=black&gt;
&lt;center&gt;
&lt;font color="#7E88A3" size="2"&gt;
&lt;br /&gt;&lt;br /&gt;
&lt;h1&gt;403 Nothing to see.&lt;/h1&gt;

You do not have the powah for this request /403.shtml&lt;br /&gt;&lt;br /&gt;
&lt;font size="2"&gt;&lt;a href="https://www.zeroscience.mk"&gt;https://www.zeroscience.mk&lt;/a&gt;&lt;/font&gt;
&lt;/font&gt;&lt;/center&gt;
&lt;/body&gt;&lt;/html&gt;