CompactCMS 1.4.1 Multiple Vulnerabilities

vendor:

CompactCMS

by:

NLSecurity

7.5

CVSS

HIGH

XSS and File Disclosure

79, 200

CWE

Product Name: CompactCMS

Affected Version From: CompactCMS 1.4.1

Affected Version To: CompactCMS 1.4.1

Patch Exists: NO

Related CWE: N/A

CPE: a:compactcms:compactcms:1.4.1

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2010

CompactCMS 1.4.1 Multiple Vulnerabilities

CompactCMS 1.4.1 has multiple XSS and File Disclosure vulnerabilities. These file disclosures will appear if the users have access to view open directories. The XSS vulnerabilities can be found in the afdrukken.php and permissions.Manage.php files.

Mitigation:

Ensure that users do not have access to view open directories. Additionally, ensure that user input is properly sanitized and validated before being used in the application.

Source

Exploit-DB raw data:

# Exploit Title: CompactCMS 1.4.1 Multiple Vulnerabilities
# Google Dork: 	 intext:"Maintained with CompactCMS.nl" intitle:"Print: *"
# Date:          17-12-2010
# Author:        NLSecurity
# Software Link: http://files.compactcms.nl/stable/
# Version:       CompactCMS 1.4.1
# Credits:       http://www.nlsecurity.org/
# Extra:         irc.6667.eu  #main

Description:

CompactCMS 1.4.1 has multiple XSS and File Disclosure vulnerabilities. These file disclosures will
appear if the users have access to view open directories.

--- File Disclosures ---

/admin/includes/modules/backup-restore/
/admin/includes/modules/backup-restore/content-owners/
/admin/includes/modules/backup-restore/module-management/
/admin/includes/modules/backup-restore/permissions/
/admin/includes/modules/backup-restore/template-editor/
/admin/includes/modules/backup-restore/user-management/

/admin/includes/fancyupload/
/admin/includes/fancyupload/Assets/
/admin/includes/fancyupload/Assets/Icons/

/admin/includes/fancyupload/Backend/
/admin/includes/fancyupload/Backend/Assets/
/admin/includes/fancyupload/Backend/Assets/getid3/

/admin/includes/fancyupload/Language/
/admin/includes/fancyupload/Source/
/admin/includes/fancyupload/Source/Uploader/

/admin/includes/edit_area/
/admin/includes/edit_area/images/
/admin/includes/edit_area/langs/
/admin/includes/edit_area/reg_syntax/

/admin/img/mochaui/
/admin/img/styles/
/admin/img/uploader/

/_docs/

... Perhaps more, but this should give an idea. :-)

--- Cross-Site Scripting Vulnerabilities (XSS) ---

/afdrukken.php?page=">[XSS]

This can be found on line 48:
<strong><a href="<?php echo $ccms['rootdir'];?><?php echo ($_GET['page']!=$cfg['homepage'])?$_GET['page'].'.html':null; ?>"><?php echo $ccms['lang']['system']['tooriginal']; ?></a></strong>
Vuln: $_GET['page']

---

/admin/includes/modules/permissions/permissions.Manage.php?status=notice&msg=[XSS]

This can be found on line 62:
<?php if(isset($_GET['msg'])) { echo '<span class="ss_sprite ss_confirm">'.$_GET['msg'].'</span>'; } ?>
Vuln: $_GET['msg']

---

/lib/includes/auth.inc.php
Username input field (userName) has an XSS vulnerability when using POST data.

This can be found on line 119:
<label for="userName"><?php echo $ccms['lang']['login']['username']; ?></label><input type="text" class="alt title" autofocus placeholder="username" name="userName" style="width:300px;" value="<?php echo (!empty($_POST['userName'])?$_POST['userName']:null);?>" id="userName" />
Vuln: $_POST['userName']