PlumeCMS <= 1.2.4 Multiple Persistent XSS

Posted on April 4, 2012 by admin_24

PlumeCMS 1.2.4 (and below) is prone to multiple peristent XSS vulnerability due to an improper input sanitization of multiple parameters.

“u_email” and “u_realname” parameters are not correctly sanitized before being passed to server side script “manager/users.php” via http POST method. An attacker – who is able to change his profile settings – could insert malicious code into “Email” and/or “Name” fields- within “Authors” template – in order to create a persistent XSS vulnerability for all user/admin who access to Plume’s management interface.
An unauthenticated user could insert html/javascript code in “Author” field within “ADD A COMMENT” section – which is present in every web page – due to an incorrect sanitization of “c_author” parameter. This will produce a Persistent XSS vulnerability for all user/admin who will click on “Comments” tab within Plume’s administration interface.

To view my Original Advisory:
PlumeCMS 1.2.4 Multiple Permanent XSS

MITRE CVE Numbering Authority assigned me CVE-2012-2156 for this vulnerability

Other Advisory’s publications:
http://www.securityfocus.com/bid/52890
http://secunia.com/advisories/40133
http://xforce.iss.net/xforce/xfdb/74614
http://osvdb.org/show/osvdb/80960
http://osvdb.org/show/osvdb/80961
http://packetstormsecurity.org/files/111596/PlumeCMS-1.2.4-Cross-Site-Scripting.html
http://www.exploit-db.com/exploits/18699/
http://1337day.com/exploits/17963
http://www.thecybernuxbie.com/exploit-report/plumecms-1-2-4-multiple-persistent-xss.aspx
http://www.x-bug.com/exploits/221

SocialCMS <= 1.0.2 XSS (Persistent and Reflected) Vulnerabilities

Posted on March 30, 2012 by admin_24

SocialCMS 1.0.2 (and lower) is prone to a persistent XSS vulnerability due to an improper input sanitization of “TR_title” parameter, passed to “my_admin/admin1_list_pages.php” via http POST method. Exploiting this vulnerability an authenticated user – which is able to publish an article – could insert arbitrary code in web management interface “Title” field – under “my_admin/admin1_list_pages.php?id=<page_id>&action=edit” – that will be executed when an administrator – or another user – will browse that web page.

Improper input sanitization of “TR_title” parameter causes also a Reflected XSS for the user which inserts html/javascript code.

MITRE CVE Numbering Authority assigned me CVE-2012-1982 for this vulnerability.

To view my Original Advisory:
SocialCMS 1.0.2 XSS (Persistent and Reflected) Advisory

Simple Php Agenda <= 2.2.8 Multiple CSRF Vulnerabilities

Posted on March 28, 2012 by admin_24

Simple Php Agenda 2.2.8 (and lower) is affected by a CSRF Vulnerability which allows an attacker to add a new administrator, delete an existing administrator, create/delete a new event and change any other parameters. In this document I will only demonstrate how to:
- add a new administrator
- delete a existing administrator
- add a new event
- delete an existing event.
Other parameters can be also modified.

To view my Original Advisory:
Simple PHP Agenda 2.2.8 Multiple CSRF Advisory

MITRE CVE Numbering Authority for this vulnerability assigned me CVE-2012-1978

Sitecom WLM-2501 new Multiple CSRF Vulnerabilities

Posted on March 22, 2012 by admin_24

The web interface of this router is affected by multiple CSRF vulnerabilities which allows to change the following device’s parameters:

Disable Mac Filtering
Disable/Modify IP/Port Filtering
Disable/Modify Port Forwarding
Disable/Modify Wireless Access Control
Disable Wi-Fi Protected Setup
Disable/Modify URL Blocking Filter
Disable/Modify Domain Blocking Filter
Disable/Modify IP Address ACL
Change Wireless Passphrase
Enable/Modify Remote Access (also on WAN interface)

To view my Original Advisory:
Sitecom WLM-2501 new Multiple CSRF Vulnerabilities

MITRE CVE Numbering Authority assigned me CVE-2012-1921 and CVE-2012-1922 for these vulnerabilities.

FlexCMS Multiple CSRF Vulnerabilities

Posted on March 16, 2012 by admin_24

FlexCMS 3.2.1(latest version) suffers from multiple CSRF vulnerabilities which could allow an attacker to change any parameters when an authenticated user/admin browses a special crafted web page. In this Advisory I’ve only demonstrate how to change settings of user “demo” (is default user of demo page) and also I’ve created a new web page.

To read more about them you can download my Original Advisory.

MITRE CVE Numbering Authority assigned me CVE-2012-1901 for this vulnerability,

Other related publications:

Offensive Security Exploit-DB
NIST – National Vulnerability Database
Inj3ct0r
Packet Storm
Secunia Advisory SA48451
Kaspersky Lab Advisory
OSVDB
IBM X-Force

Secunia SA39961 – Razorcms Multiple Vulnerabilities

Posted on March 16, 2012 by admin_24

Secunia published new Advisory regarding my discovered vulnerability which affects Razor cms 1.2.1 and lower.

To read more about Secunia’s Advisory:
Secunia SA39961 Advisory

Sitecom WLM-2501 Change Wireless Passphrase

Posted on March 14, 2012 by admin_24

Yesterday I’ve discovered new CSRF vulnerabilities in Sitecom WLM-2501 300N wireless modem/router which allow an attacker to change a lot of device parameter and, most of all, to change wireless passphrase.

To know more about these vulnerabilities please read my Original Advisory.

MITRE CVE Numbering Authority assigned me CVE-2012-1921 and CVE-2012-1922 for these vulnerabilities.

Other sources have published my Advisory:
Secunia Security Advisory 48840
Packet Storm
Offensive Security Exploit-DB
Inj3ct0r
IBM X-Force
Security Focus
http://packetstormsecurity.org/files/111941/Secunia-Security-Advisory-48840.html

Secunia – Contao cms (fka TYPOlight) CSRF Vulnerability

Posted on February 29, 2012 by admin_24

Secunia has published my new security Adsvisory regarding a new vulnerability found in latest release (and lower) of Contao CMS(fka TYPOlight). This vulnerability allows an attacker to delete administrator/users, articles, news, newsletter andmodify many other parameters.

To read Secunia’s Advisory:
http://secunia.com/advisories/48180/

To learn more about my Original Advisory:

http://ivanobinetti.blogspot.com/2012/02/contaocms-fka-typolight-211-csrf-delete.html

Secunia – Webfolio cms CSRF Vulnerability

Posted on February 29, 2012 by admin_24

Today Secunia published a my security Adsvisory regarding a new vulnerability found in Webfolio CMS which allows to add a new administrator account, modify published web pages and change many other parameters of latest release (and below) of Webfolio CMS.

To read Secunia’s Advisory:
http://secunia.com/advisories/48190

For know more about my original Advisory:
http://ivanobinetti.blogspot.com/2012/02/webfoliocms-114-csrf-add-adminmodify.html

Secunia – Fork CMS Vulnerability

Posted on February 23, 2012 by admin_24

Secunia has published an advisory related to a “0day” vulnerabilty (http://ivanobinetti.blogspot.com/2012/02/forkcms-325-csrf-and-xss-0day.html which I’ve discovered in the past days and regarding a CSRF (Cross Site Request Forgery) which affects ForkCMS 3.2.5 and lower.
Secunia tested this vulnerability also in 3.2.6 version, latest release which ForkCMS team published few days ago.
As I already said in my advisory I think that ForkCMS in a very nice CMS which, with some security improvements, can become a great cms. May be that I will use it in the future.

Following you can read more details about Secunia Advisory:
https://secunia.com/advisories/48067

Also PacketStorm has published this Advisory:
http://packetstormsecurity.org/files/110069/sa48067.txt

Ivano Binetti

Personal Blog

Category Archives: Secunia