exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ImpressCMS 1.3 Final Cross Site Scripting / Local File Inclusion

ImpressCMS 1.3 Final Cross Site Scripting / Local File Inclusion
Posted Jan 4, 2012
Authored by High-Tech Bridge SA | Site htbridge.com

ImpressCMS version 1.3 Final suffers from cross site scripting and local file inclusion vulnerabilities.

tags | exploit, local, vulnerability, xss, file inclusion
SHA-256 | 26e84bfacb999830ae889786b3bb6072cb73e0fd403c3a62ec44f96785279992

ImpressCMS 1.3 Final Cross Site Scripting / Local File Inclusion

Change Mirror Download
Vulnerability ID: HTB23064
Reference: https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_impresscms.html
Product: ImpressCMS
Vendor: The ImpressCMS Project ( http://www.impresscms.org/ )
Vulnerable Version: 1.3 Final and probably prior
Tested Version: 1.3 Final
Vendor Notification: 14 December 2011
Vendor Patch: 27 December 2011
Vulnerability Type: XSS, Local file inclusion
Status: Fixed by Vendor
Risk level: High
Credit: High-Tech Bridge SA Security Research Lab ( https://www.htbridge.ch/advisory/ )

Advisory Details:
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in ImpressCMS, which can be exploited to perform cross-site scripting and local file inclusion attacks.

1) Input appended to the URL after notifications.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in user's browser session in context of affected website.

The following PoC code is available:


<form action='http://[host]/notifications.php/"><script>alert(document.cookie);</script>' method="post">
<input type="hidden" name="del_not" value="1">
<input type="hidden" name="delete_ok" value="">
<input type="submit" value="submit" id="btn">
</form>


Successful exploitation of this vulnerability requires that Apache's directive "AcceptPathInfo" is set to "on" or "default" (default value is "default").

2) Input appended to the URL after /modules/system/admin/images/browser.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in administrator's browser session in context of affected website.

The following PoC code is available:

http://[host]/modules/system/admin/images/browser.php/%27%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E/?op=listimg&imgcat_id=1&target=&type=ibrow

Successful exploitation of this vulnerability requires that Apache's directive "AcceptPathInfo" is set to "on" or "default" (default value is "default").

3) Input appended to the URL after /modules/content/admin/content.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in administrator's browser session in context of affected website.

The following PoC code is available:

http://[host]/modules/content/admin/content.php/%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E/

Successful exploitation of this vulnerability requires that Apache's directive "AcceptPathInfo" is set to "on" or "default" (default value is "default").

4) Input passed via the "icmsConfigPlugins[sanitizer_plugins]" GET parameter to edituser.php is not properly verified before being used to include local files.
This can be exploited to include local files via directory traversal sequences and URL-encoded NULL bytes.

The following PoC is available:

http://[host]/edituser.php?icmsConfigPlugins[sanitizer_plugins][]=../../../tmp/file%00

Successful exploitation of this vulnerability requires that the attacker is registered and logged-in, "magic_quotes_gpc" are off and "Profile" module is disabled.

Solution: Upgrade to ImpressCMS 1.2.7 Final or 1.3.1 Final

More information:
http://community.impresscms.org/modules/smartsection/item.php?itemid=579

Disclaimer: Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on the web page in Reference field.
Login or Register to add favorites

File Archive:

October 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    10 Files
  • 2
    Oct 2nd
    0 Files
  • 3
    Oct 3rd
    0 Files
  • 4
    Oct 4th
    0 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close