← Advisories

ZeewaysCMS Multiple Vulnerabilities

Medium
Advisory ID
ZSL-2016-5319
Release Date
06 May 2016
Vendor
Zeeways - http://www.zeewayscms.com
Affected Version
unknown
CVE
N/A
Tested On
Apache/2.2.27, PHP/5.4.28
Summary

ZeewaysCMS is a Content Management System and a complete Web & Mobile Solution developed by Zeeways for Corporates, Individuals or any kind of Business needs.

Description

ZeewaysCMS suffers from a file inclusion vulnerability (LFI) when encoded input passed thru the 'targeturl' GET parameter is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks. Multiple cross-site scripting vulnerabilities were also discovered. The issue is triggered when input passed via multiple parameters is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Proof of Concept
zeewayscms_mv.txtTXT
Disclosure Timeline
25.03.2016Vulnerability discovered.
25.03.2016Vendor contacted.
29.03.2016Follow up with the vendor.
29.03.2016Vendor responded asking for details.
29.03.2016Advisory and details sent to the vendor.
06.04.2016Follow up with the vendor. No response received.
06.05.2016Public security advisory released.
Credits
Vulnerability discovered by Bikramaditya Guha
References
[1]https://cxsecurity.com/issue/WLB-2016050029
[2]https://www.exploit-db.com/exploits/39784/
[3]https://packetstormsecurity.com/files/137000
[4]https://exchange.xforce.ibmcloud.com/vulnerabilities/113130
[5]https://exchange.xforce.ibmcloud.com/vulnerabilities/113133
Changelog
06.05.2016Initial release
21.05.2016Added reference [1], [2], [3], [4] and [5]