Lunar CMS 3.3 CSRF And Stored XSS Vulnerability
Title: Lunar CMS 3.3 CSRF And Stored XSS Vulnerability
Advisory ID: ZSL-2014-5188
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 21.06.2014
PHP/5.5.6
MySQL 5.6.14
[12.06.2014] Vendor contacted.
[12.06.2014] Vendor replies asking more details.
[12.06.2014] Sent details to the vendor.
[12.06.2014] Vendor confirms the vulnerabilities.
[13.06.2014] Working with the vendor.
[19.06.2014] Vendor releases fixed version 3.3-3 to address these issues.
[21.06.2014] Coordinated public security advisory released.
[2] http://osvdb.org/show/osvdb/108350
[3] http://osvdb.org/show/osvdb/108351
[4] http://cxsecurity.com/issue/WLB-2014060122
[5] http://packetstormsecurity.com/files/127188
[6] http://www.securityfocus.com/bid/68153
[7] http://www.exploit-db.com/exploits/33830/
[8] http://secunia.com/advisories/59411/
[9] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4718
[10] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-4718
[11] http://xforce.iss.net/xforce/xfdb/93957
[12] http://xforce.iss.net/xforce/xfdb/93959
[24.06.2014] - Added reference [2], [3], [4], [5], [6] and [7]
[25.06.2014] - Added reference [8]
[03.07.2014] - Added reference [9] and [10]
[05.07.2014] - Added reference [11] and [12]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2014-5188
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 21.06.2014
Summary
Lunar CMS is a freely distributable open source content management system written for use on servers running the ever so popular PHP5 & MySQL.Description
Lunar CMS suffers from a cross-site request forgery and a stored xss vulnerabilities. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Input passed to the 'subject' and 'email' POST parameters thru the 'Contact Form' extension/module is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.Vendor
Lunar CMS - http://www.lunarcms.comAffected Version
3.3Tested On
Apache/2.4.7 (Win32)PHP/5.5.6
MySQL 5.6.14
Vendor Status
[11.06.2014] Vulnerabilities discovered.[12.06.2014] Vendor contacted.
[12.06.2014] Vendor replies asking more details.
[12.06.2014] Sent details to the vendor.
[12.06.2014] Vendor confirms the vulnerabilities.
[13.06.2014] Working with the vendor.
[19.06.2014] Vendor releases fixed version 3.3-3 to address these issues.
[21.06.2014] Coordinated public security advisory released.
PoC
lunarcms_csrfxss.htmlCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] http://lunarcms.com/Get.html[2] http://osvdb.org/show/osvdb/108350
[3] http://osvdb.org/show/osvdb/108351
[4] http://cxsecurity.com/issue/WLB-2014060122
[5] http://packetstormsecurity.com/files/127188
[6] http://www.securityfocus.com/bid/68153
[7] http://www.exploit-db.com/exploits/33830/
[8] http://secunia.com/advisories/59411/
[9] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4718
[10] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-4718
[11] http://xforce.iss.net/xforce/xfdb/93957
[12] http://xforce.iss.net/xforce/xfdb/93959
Changelog
[21.06.2014] - Initial release[24.06.2014] - Added reference [2], [3], [4], [5], [6] and [7]
[25.06.2014] - Added reference [8]
[03.07.2014] - Added reference [9] and [10]
[05.07.2014] - Added reference [11] and [12]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
