MOAUB #19 - JMD-CMS Multiple Remote Vulnerabilities
2010-09-19 13:15:06'''
__ __ ____ _ _ ____
| \/ |/ __ \ /\ | | | | _ \
| \ / | | | | / \ | | | | |_) |
| |\/| | | | |/ /\ \| | | | _ <
| | | | |__| / ____ \ |__| | |_) |
|_| |_|\____/_/ \_\____/|____/
http://www.exploit-db.com/moaub-19-jmd-cms-multiple-remote-vulnerabilities/
'''
Abysssec Inc Public Advisory
Title : JMD-CMS Multiple Remote Vulnerabilities
Affected Version : JMD-CMS Alpha 3.0.0.9
Discovery : www.abysssec.com
Vendor : http://www.jmdcms.com/
Download Links : http://jmdcms.codeplex.com/releases/view/6674
Dork : "powered by jmdcms.com"
Admin Page : http://localhost/jmdcms/Login.aspx
Description :
===========================================================================================
This version of JMD-CMS(JMD-CMS Alpha 3.0.0.9) have Multiple Valnerabilities :
1- Upload arbitrary file with FCKEditor
2- Persistent XSS
1) Upload arbitrary file with FCKEditor:
===========================================================================================
With this vulnerability you can upload any file with this Link:
http://localhost/jmdcms/FCKeditor/editor/fckeditor.html
or http://localhost/jmdcms/FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/aspx/connector.aspx
your files will be in this path:
http://localhost/UserFiles/Image/
2) Persistent XSS Vulnerabilities:
===========================================================================================
1-In this path you can see a persistent XSS Valnerability in Caption field:
(this page is accessible for Admin)
http://localhost/jmdcms/addPage.aspx?Parent_Page=default
Vulnerable Code:
In App_Web_25otrp1v.dll ---> Modules_Admin_AddPage Class
////////////////////////////////////////////
public void SavePage(string URI)
...
..
.
this.Page_Name.Text = this.Page_Name.Text.Replace("~", "-");
try
{
server.JMD_PAGE_SAVE(this.Page_Id.Value, Util.SiteURL(URI), this.Page_Name.Text, this.Page_Caption.Text, this.Meta_Title.Text, this.Meta_Desc.Text, this.Meta_Keywords.Text, this.Parent_Page_Name.Text, str, str2, str3, this.CBLToString(this.View_Roles), this.CBLToString(this.Add_Roles), this.CBLToString(this.Edit_Roles), this.CBLToString(this.Delete_Roles), this.CBLToString(this.Move_Roles), this.CBLToString(this.Add_Module_Roles), "0", str4, this.Page_Sort.Text, str5);
...
}
////////////////////////////////////////////
As you can see No Sanitizasion for Value: this.Page_Caption.Text
For example Caption can be: <script>alert(document.cookie)</script>
2- In Register Page :
http://localhost/jmdcms/NewUser.aspx
Code:
In App_Web_25otrp1v.dll ---> Modules_Core_NewUser class
////////////////////////////////////////////
public bool SaveUser()
...
..
.
try
{
server.JMD_USER_INSERT(this.User_Id.Value, Util.SiteURL(base.Request.QueryString["Pg"].ToString()), this.User_Name.Text, this.User_Display_Name.Text, str, salt, this.Email.Text);
...
}
////////////////////////////////////////////
No Sanitization for Values.
For Example you can enter this values in Register Page: (This field is limited to 50 Character)
UserID = user<script>alert(document.cookie)</script>
DisplayName = user<script>alert(document.cookie)</script>
Password = user
Email = [email protected]<script>alert(document.cookie)</script>
and when Admin see this page, your script will be run.
http://localhost/jmdcms/Users.aspx
===========================================================================================
Fixes
No fixesIn order to submit a new fix you need to be registered.