Document Title: =============== Macs Framework v1.14f CMS - Multiple Web Vulnerabilities References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2206 Release Date: ============= 2020-04-14 Vulnerability Laboratory ID (VL-ID): ==================================== 2206 Common Vulnerability Scoring System: ==================================== 7.4 Vulnerability Class: ==================== Multiple Current Estimated Price: ======================== 1.000€ - 2.000€ Product & Service Introduction: =============================== Macs CMS is a Flat File (XML and SQLite) based AJAX Content Management System. It focuses mainly on the Edit In Place editing concept. It comes with a built in blog with moderation support, user manager section, roles manager section, SEO / SEF URL. https://sourceforge.net/projects/macs-framework/files/latest/download (Copy of the Homepage: https://sourceforge.net/projects/macs-framework/) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered multiple web vulnerabilities in the official Macs Framework v1.1.4f CMS. Affected Product(s): ==================== Macrob7 Product: Macs Framework v1.14f - Content Management System Vulnerability Disclosure Timeline: ================================== 2020-04-14: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== High Authentication Type: ==================== Restricted authentication (user/moderator) - User privileges User Interaction: ================= Low User Interaction Disclosure Type: ================ Independent Security Research Technical Details & Description: ================================ 1.1 & 1.2 Multiple non-persistent cross site scripting web vulnerabilities has been discovered in the official Mac Framework v1.1.4f Content Managament System. The vulnerability allows remote attackers to manipulate client-side browser to web-applicatio requests to compromise user sesson credentials or to manipulate module content. The first vulnerability is located in the search input field of the search module. Remote attackers are able to inject own malicious script code as search entry to execute the code within the results page that is loaded shortly after the request is performed. The request method to inject is POST and the attack vector is located on the client-side with non-persistent attack vector. The second vulnerability is located in the email input field of the account reset function. Remote attackers are able to inject own malicious script code as email to reset the passwort to execute the code within performed request. The request method to inject is POST and the attack vector is located on the client-side with non-persistent attack vector. Successful exploitation of the vulnerabilities results in session hijacking, non-persistent phishing attacks, non-persistent external redirects to malicious source and non-persistent manipulation of affected or connected application modules. Request Method(s): [+] POST Vulnerable Parameter(s): [+] searchString [+] emailAdress 1.3 Multiple remote sql-injection web vulnerabilities has been discovered in the official Mac Framework v1.1.4f Content Managament System. The vulnerability allows remote attackers to inject or execute own sql commands to compromise the dbms or file system of the application. The sql injection vulnerabilities are located in the `roleId` and `userId` of the `editRole` and `deletUser` module. The request method to inject or execute commands is GET and the attack vector is located on the application-side. Attackers with privileged accounts to edit are able to inject own sql queries via roleid and userid on deleteUser or editRole. Multiple unhandled and broken sql queries are visible as default debug to output for users as well. Exploitation of the remote sql injection vulnerability requires no user interaction and a privileged web-application user account. Successful exploitation of the remote sql injection results in database management system, web-server and web-application compromise. Request Method(s): [+] POST Vulnerable Module(s): [+] deleteUser [+] editRole Vulnerable Parameter(s): [+] userId [+] roleId Proof of Concept (PoC): ======================= Google Dork(s): intitle, subtitle & co. Site Powered by Mac's PHP MVC Framework Framework of the future Design downloaded from Zeroweb.org: Free website templates, layouts, and tools. 1.1 The non-persistent cross site scripting web vulnerability can be exploited by remote attackers without user account and with low user interaction. For security demonstration or to reproduce the cross site scripting web vulnerability follow the provided information and steps below to continue. PoC: Payload >">" --- PoC Session Logs [POST] --- https://macs-cms.localhost:8080/index.php/main/cms/forgotPassword Host: macs-cms.localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Content-Length: 17 Origin: https://macs-cms.localhost:8080 Connection: keep-alive Referer: https://macs-cms.localhost:8080/index.php/main/cms/login Cookie: PHPSESSID=h81eeq4jucus8p9qp146pjn652; ajaxRequest=true - POST: HTTP/1.1 200 OK Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html; charset=ISO-8859-1 Expires: Thu, 19 Nov 1981 08:52:00 GMT Server: Microsoft-IIS/8.5 X-Powered-By: ASP.NET X-Powered-By-Plesk: PleskWin Content-Length: 335 - https://macs-cms.localhost:8080/index.php/main/cms/forgotPasswordProcess Host: macs-cms.localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Content-Length: 123 Origin: https://macs-cms.localhost:8080 Connection: keep-alive Referer: https://macs-cms.localhost:8080/index.php/main/cms/login Cookie: PHPSESSID=h81eeq4jucus8p9qp146pjn652; ajaxRequest=true&=&emailAddress=test"