what you don't know can hurt you

CM3 AcoraCMS XSS / CSRF / Redirection / Disclosure

CM3 AcoraCMS XSS / CSRF / Redirection / Disclosure
Posted Aug 26, 2013
Authored by Pedro Andujar

CM3 AcoraCMS versions 6.0.6/1a, 6.0.2/1a, 5.5.7/12b, and 5.5.0/1b-p1 suffer from cross site request forgery, cross site scripting, information disclosure, weak cookies, and URL redirection vulnerabilities.

tags | exploit, vulnerability, xss, info disclosure, csrf
advisories | CVE-2013-4722, CVE-2013-4723, CVE-2013-4724, CVE-2013-4725, CVE-2013-4726, CVE-2013-4727, CVE-2013-4728
MD5 | ff4e7b5606f1a69f78270c19ed79bbf1

CM3 AcoraCMS XSS / CSRF / Redirection / Disclosure

Change Mirror Download
          ===============================
- Advisory -
===============================

Tittle: CM3 AcoraCMS - Several Vulnerabilities
Risk: Medium
Date: 12.Sept.2012
Author: Pedro Andujar
Twitter: @pandujar


.: [ INTRO ] :.

Acora CMS is a sleek and powerful off-the-shelf content management application coupled with a deep and extensible advanced website development framework at a killer price. This home grown product is one of DDSN's key differentiators. It's in use by many high profile clients, but easily scales down for smaller websites too.

AcoraCMS is widely used accross Austalian IT companies, Banks and government websites.


.: [ TECHNICAL DESCRIPTION ] :.

AcoraCMS, v6.0.6/1a, v6.0.2/1a, v5.5.7/12b, v5.5.0/1b-p1 (and probably others), are prone to several security issues as described below;


.: [ ISSUE #1 }:.

Name: Reflected Cross Site Scripting
Severity: Medium
CVE: CVE-2013-4722

Due to lack of input validation and output escaping in the default.asp page,
parameters such username, url, qstr, etc. can be used by an attacker to perform XSS
attacks.

Example:

/AcoraCMS/Admin/login/default.asp?username="</div><script>alert(document.cookie)</script>

/AcoraCMS/Admin/login/default.asp?url="</form><META HTTP-EQUIV=Refresh CONTENT="0; URL=http://www.google.es">


.: [ ISSUE #2 }:.

Name: URL Redirect
Severity Medium
CVE: CVE-2013-4723

URL redirection functionality doesn't verify that VirtualPath are relatives.

Example:

/AcoraCMS/track.aspx?m=1&l=//www.google.es


.: [ ISSUE #3 }:.

Name: Username and password sent in clear text
Severity: Medium

Authentication credentials (username and password) and session cookies are unencrypted.


.: [ ISSUE #4 }:.

Name: Cookie Lack of Hardening
Severity: Low
CVE: CVE-2013-4724 & CVE-2013-4725

Cookies are not hardened using HttpOnly or Secure flags.


.: [ ISSUE #5 }:.

Name: XSRF
Severity: Low
CVE: CVE-2013-4726

The application lacks controls to prevent Cross Site Request Forgery.


.: [ ISSUE #6 }:.

Name: Information Leaks
Severity: Low
CVE: CVE-2013-4727 & CVE-2013-4728

* Unauthenticated users are able to retrive _viewstate encoded base64 information.

/AcoraCMS/Admin/top.aspx

<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE"
value="/wEPDwUKLTQ4NjIxMDUxOQ9kFgJmD2QWAgIDD2QWAgIBD2QWCmYPFgIeBFRleHQFJERpZ2l0YWxTZWMgTmV0d29ya3MgV2Vic2l0ZWQCAQ8WAh8ABQpFbnRlcnByaXNlZAICDw8WAh8ABQt2NS40LjUvNGEtY2RkAgMPFgIfAAUgQW5vbnltb3VzIChQdWJsaWMgSW50ZXJuZXQgVXNlcilkAgQPDxYCHgdWaXNpYmxlaGRkZIL9u8OSlqqnBHGwtssOBV5lciAoCg"
/>
</div>

Once decoded gives you information about the version and license including the company who owns the license, it
could be used for fingerprinting the application:

-486210519 d f d d d
f Text $DigitalSec Networks Websited
Enterprised v5.4.5/4a-cdd Anonymous (Public Internet
User)d VisiblehdddĂ’q ^er (


* Application Physical Path exposed to unauthenticated users

/AcoraCMS/track.aspx?m=1&l=..\..

Exception Details: System.Web.HttpException: Cannot use a leading ..
to exit above the top directory.
Source File: d:\Path\to\site\AcoraCMS\track.aspx.cs Line: 57



.: [ CHANGELOG ] :.

* 12/Sep/2012: - Vulnerability discovered.
* 27/May/2013: - Vendor contacted. No response
* 19/Aug/2013: - Vendor recontacted. No response
* 26/Aug/2013: - Public

.: [ SOLUTIONS ] :.

N/A




.: [ REFERENCES ] :.

[+] Acora CMS
http://www.ddsn.com/knowledge-base/cm3-acora-cms.aspx

[+] Clients & Projects
http://www.ddsn.com/portfolio/clients.aspx

[+] CM3CMS
http://www.cm3cms.com/

[+] !dSR - Digital Security Research
http://www.digitalsec.net/




Login or Register to add favorites

File Archive:

August 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    3 Files
  • 2
    Aug 2nd
    2 Files
  • 3
    Aug 3rd
    32 Files
  • 4
    Aug 4th
    22 Files
  • 5
    Aug 5th
    0 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    0 Files
  • 9
    Aug 9th
    0 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    0 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close