[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Multiple vulnerabilities in ImpressCMS
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Multiple vulnerabilities in ImpressCMS
- From: advisory@xxxxxxxxxxx
- Date: Wed, 4 Jan 2012 16:30:30 +0100 (CET)
Vulnerability ID: HTB23064
Reference:
https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_impresscms.html
Product: ImpressCMS
Vendor: The ImpressCMS Project ( http://www.impresscms.org/ )
Vulnerable Version: 1.3 Final and probably prior
Tested Version: 1.3 Final
Vendor Notification: 14 December 2011
Vendor Patch: 27 December 2011
Vulnerability Type: XSS, Local file inclusion
Status: Fixed by Vendor
Risk level: High
Credit: High-Tech Bridge SA Security Research Lab (
https://www.htbridge.ch/advisory/ )
Advisory Details:
High-Tech Bridge SA Security Research Lab has discovered multiple
vulnerabilities in ImpressCMS, which can be exploited to perform cross-site
scripting and local file inclusion attacks.
1) Input appended to the URL after notifications.php is not properly sanitised
before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in user's
browser session in context of affected website.
The following PoC code is available:
<form
action='http://[host]/notifications.php/";><script>alert(document.cookie);</script>'
method="post">
<input type="hidden" name="del_not" value="1">
<input type="hidden" name="delete_ok" value="">
<input type="submit" value="submit" id="btn">
</form>
Successful exploitation of this vulnerability requires that Apache's directive
"AcceptPathInfo" is set to "on" or "default" (default value is "default").
2) Input appended to the URL after /modules/system/admin/images/browser.php is
not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in
administrator's browser session in context of affected website.
The following PoC code is available:
http://[host]/modules/system/admin/images/browser.php/%27%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E/?op=listimg&imgcat_id=1&target=&type=ibrow
Successful exploitation of this vulnerability requires that Apache's directive
"AcceptPathInfo" is set to "on" or "default" (default value is "default").
3) Input appended to the URL after /modules/content/admin/content.php is not
properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in
administrator's browser session in context of affected website.
The following PoC code is available:
http://[host]/modules/content/admin/content.php/%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E/
Successful exploitation of this vulnerability requires that Apache's directive
"AcceptPathInfo" is set to "on" or "default" (default value is "default").
4) Input passed via the "icmsConfigPlugins[sanitizer_plugins]" GET parameter to
edituser.php is not properly verified before being used to include local files.
This can be exploited to include local files via directory traversal sequences
and URL-encoded NULL bytes.
The following PoC is available:
http://[host]/edituser.php?icmsConfigPlugins[sanitizer_plugins][]=../../../tmp/file%00
Successful exploitation of this vulnerability requires that the attacker is
registered and logged-in, "magic_quotes_gpc" are off and "Profile" module is
disabled.
Solution: Upgrade to ImpressCMS 1.2.7 Final or 1.3.1 Final
More information:
http://community.impresscms.org/modules/smartsection/item.php?itemid=579
Disclaimer: Details of this Advisory may be updated in order to provide as
accurate information as possible. The latest version of the Advisory is
available on the web page in Reference field.