search

WBCE / WBCE_CMS

Core package of WBCE CMS. This package includes the core and the default addons. Visit https://wbce.org (DE) or https://wbce-cms.org (EN) to learn more or to join the WBCE CMS community.
https://wbce-cms.org
GNU General Public License v2.0
32 stars 22 forks source link

WebsiteBaker 2.8.3 - Multiple Vulnerabilities #1

Closed webbird closed 9 years ago

webbird commented 9 years ago

See

https://www.exploit-db.com/exploits/35277/

--- QUOTE ---

SQL Injection:

 /wb/admin/pages/modify.php?page_id=1

Cross-Site Scripting GET:

 /wb/admin/admintools/tool.php?tool=captcha_control&6d442"><script>alert(1)</script>8e3b12642a8=1
 /wb/modules/edit_module_files.php?page_id=1&mod_dir=news&edit_file=frontend.css&action=edit&page_id=1&section_id=%007e393<script>alert(1)</script>9f8a40a7355f9acf0
 /wb/modules/news/add_post.php?page_id=1&section_id=f953a"><script>alert(1)</script>4ddf3369c1f
 /wb/modules/news/modify_group.php?page_id=1&section_id=%008cf03"><script>alert(1)</script>2680504c3ec&group_id=62be99873b33d1d3
 /wb/modules/news/modify_post.php?page_id=1&section_id=%003874a<script>alert(1)</script>4194d511605&post_id=db89943875a2db52
 /wb/modules/news/modify_settings.php?page_id=1&section_id=%008b2f4"><script>alert(1)</script>bdc8b3919b5

HTTP RESPONSE SPLITTING:

If you enter a valid user and password, you can inject on the headers malicious code, example.

webbird commented 9 years ago

I have checked all but the response splitting. The XSS examples require that the user is already logged in in the backend; he will be forwarded to the login page otherwise. The given data will be dropped in that case.

webbird commented 9 years ago

I found the XSS problem in ./modules/admin.php and added a quite simple fix.

webbird commented 9 years ago

The HTTP Response Splitting problem does only occur with PHP versions below 5.1. As WB requires 5.3, we can handle this as "fixed".