Message-ID: <CALH-=7xVMHAZNepzQJuQbwnY2eG5i8dUy8-AncfdFY4_36mb+g@mail.gmail.com>
Date: Thu, 12 Feb 2015 20:18:29 +0100
From: Steffen Rösemann <steffen.roesemann1986@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Reflecting XSS vulnerabitlies,
 unrestricted file upload and underlaying CSRF in Landsknecht
 Adminsystems CMS v. 4.0.1 (DEV, beta version)

Advisory: Reflecting XSS vulnerabitlies, unrestricted file upload and
underlaying CSRF in Landsknecht Adminsystems CMS v. 4.0.1 (DEV, beta
version)
Advisory ID: SROEADV-2015-14
Author: Steffen Rösemann
Affected Software: Landsknecht Adminsystems CMS v. 4.0.1 (DEV, beta version)
Vendor URL: https://github.com/kneecht/adminsystems
Vendor Status: will be patched
CVE-ID: -

==========================
Vulnerability Description:
==========================

Landsknecht Adminsystems CMS v. 4.0.1 (DEV, beta version) suffers from
reflecting XSS- , unrestricted file-upload and an underlaying
CSRF-vulnerability.

==================
Technical Details:
==================

The content management system Landsknecht Adminsystems v. 4.0.1, which is
currently in beta development stage, suffers from reflecting
XSS-vulnerabilities, a unrestricted file-upload and an underlaying
CSRF-vulnerability.

==================
Reflecting XSS-vulnerabilities
==================

A reflecting XSS vulnerability can be found in the index.php and can be
abused via the vulnerable "page"-parameter. See the following example,
including exploit-example:

http://
{TARGET}/index.php?page=home%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&lang=de%27

Another reflecting XSS vulnerability can be found in the system.php-file
and can be exploited via the vulnerable "id" parameter:

http://
{TARGET}/asys/site/system.php?action=users_users&mode=edit&id=1%22%3E%3Cscript%3Ealert%281%29%3C/script%3E

============================
Unrestricted file-upload / Underlaying CSRF
============================

Registered users and administrators are able to upload arbitrary files via
the following upload-form, located here:

http://{TARGET}/asys/site/files.php?action=upload&path=/

As there seems not be an existing permission-model, users can read/execute
files  an administrator/user uploaded and vice versa.

This issue includes an underlaying CSRF-vulnerability, as a user is able to
upload a malicious file and trick another user or the administrator into
visiting the link to the file.

All files get uploaded here without being renamed:

http://{TARGET}/upload/files/{UPLOADED_FILE}

=========
Solution:
=========

The vendor has been notified. He will provide a fix for the vulnerabilities
to prevent people who might use it from being attacked, although he would
not recommend using the CMS because it is in its beta stage.


====================
Disclosure Timeline:
====================
30-Jan-2015 – found the vulnerabilities
30-Jan-2015 - informed the developers (see [3])
30-Jan-2015 – release date of this security advisory [without technical
details]
30-Jan-2015 - forked Github repository of Adminsystems v. 4.0.1 to keep it
available for other security researchers (see [4])
12-Feb-2015 - release date of this security advisory
12-Feb-2015 - vendor will patch the vulnerabilities
12-Feb-2015 - send to FullDisclosure



========
Credits:
========

Vulnerability found and advisory written by Steffen Rösemann.

===========
References:
===========

[1] https://github.com/kneecht/adminsystems
[2] http://sroesemann.blogspot.de/2015/01/sroeadv-2015-14.html
[3] https://github.com/kneecht/adminsystems/issues/1
[4] https://github.com/sroesemann/adminsystems

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists