Axous 1.1.1 Multiple Vulnerabilities (CSRF – Persistent XSS)

Axous 1.1.1 (and below) is prone to CSRF and  peristent XSS vulnerability due to an improper input sanitization of multiple parameters. Following more details:

CSRF Vulnerabilities
Axous 1.1.1 (and below) suffers from multiple CSRF vulnerabilities which could allow an attacker to change any parameters when an authenticated  user/admin browses a special crafted web page. In this Advisory I will only demonstrate how to add a new administrator but, with little modifications to my exploit, you can modify any Axous’s parameters, as Axous does not use an anti-CSRF token.

Persistent XSS Vulnerabilities
Axous 1.1.1 (and below) is prone to multiple persistent XSS vulnerabilities due to an improper input sanitization of the following parameters:
– “page_title” passed to server side logic (path: “admin/content_pages_edit.php”) via http POST method.
Exploiting “page_title” parameter an authenticated administrator could insert arbitrary code in “Title” field, and execute it when another administrator clicks on “Pages” link or on that specific pages under “Title” menu.
Furthermore injected code will generate a persistent XSS for all unauthenticated users visiting that web page.
– “category_name[1]” passed to server side logic (path:”admin/products_category.php”) via http POST method.
Exploiting “category_name[1]” parameter an administrator could insert arbitrary code in “Category” field (under “Control Panel > Products”)
and create a persistent XSS for another administrator who clicks on the “Add New” button (always under “Control Panel > Products”).

-“site_name”, “seo_title” and “meta_keywords” parameters passed to “admin/settings_siteinfo.php” script via http POST method.
Exploiting these parameters an authenticated administrator could insert arbitrary code and create a persistent XSS for another administrator
who clicks “Site info” link under Settings menu.

– “company_name”, “address1”, “address2”, “city”, “state”, “country”, “author_first_name”, “author_last_name”, “author_email”, “contact_first_name”, “contact_last_name”, “contact_email”, “general_email”, “general_phone”, “general_fax”, “sales_email”, “sales_phone”, “support_email”, “support_phone” passed to “admin/settings_company.php” script via http POST method.
Exploiting these parameters an authenticated administrator could insert arbitrary code and create a persistent XSS for another administrator who visits that injected menu.

– “system_email”, “sender_name”, “smtp_server”, “smtp_username”, “smtp_password”, “order_notice_email” parameters passed to “admin/settings_email.php” via httl POSt method.
Exploiting these parameters an authenticated administrator could insert arbitrary code and create a persistent XSS for another administrator who clicks “Site info” link under Settings menu.

Other parameters could be injected!

To view my Original Advisory:
Axous 1.1.1 Multiple Vulnerabilities (CSRF – Persistent XSS)

MITRE CVE Numbering Authority assigned me CVE-2012-2629 for these vulnerabilities.

This advisory has been published in the following web sites:
http://xforce.iss.net/xforce/xfdb/75675
http://osvdb.org/show/osvdb/82075
http://osvdb.org/show/osvdb/82076
http://osvdb.org/show/osvdb/82077
http://osvdb.org/show/osvdb/82078
http://osvdb.org/show/osvdb/82079
http://osvdb.org/show/osvdb/82080
http://packetstormsecurity.org/files/112748/Axous-1.1.1-Cross-Site-Request-Forgery-Cross-Site-Scripting.html
http://www.exploit-db.com/exploits/18886/
http://www.1337day.com/exploits/18277