XSS-vulnerabilities, unrestricted file-upload and underlaying CSRF-vulnerability in Adminsystems CMS v.4.0.1 (DEV)

Dear developer.

I found XSS-vulnerabilities, an unrestricted file-upload and an underlaying CSRF-vulnerability in your CMS Adminsystems v. 4.0.1 (DEV).

I am aware, that this content management system is currently in early development stage. If you are interested in the technical details to patch those vulnerabilities, please provide me an email-address, where I can send my informations of this issue to. Otherwise, if you don't mind, I can post the technical details here on Github directly.

I am releasing a security advisory on my blog without technical details, see here:

http://sroesemann.blogspot.de/2015/01/sroeadv-2015-14.html

Please contact me until 14th February 2015 (UTC+1) to exchange the informations about these vulnerabilities and to arrange a release-date for a patch and the technical information for my advisory, otherwise I will release the technical details as well on my blog and submit the issue to the security-mailinglist FullDisclosure, to track those bugs and warn potential users.

Greetings from Germany.

Steffen Rösemann

[AschauerMarvin]

Hi Steffen,

thank you for your message. I don't recommend to use this CMS anyway, it's just a "sandbox" i used to play with years ago and put it here on GitHub to store it.

If you want, you can post the informations right here. I will look over them and fix it, just in case.

Greetings,
Marvin

Hi Marvin.

Okay, as you wish, I will post the information here directly.

Your CMS suffers from reflecting XSS-vulnerabilities, please see here (including exploit examples):

Reflecting XSS in index.php, parameter page:

http://{TARGET}/index.php?page=home%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&lang=de%27

Reflecting XSS in system.php, id parameter:

http://{TARGET}/asys/site/system.php?action=users_users&mode=edit&id=1%22%3E%3Cscript%3Ealert%281%29%3C/script%3E

Moreover, the Content Management System suffers from an unrestricted file upload. Users and administrators can upload arbitrary files via the following path:

http://{TARGET}/asys/site/files.php?action=upload&path=/

As there seems not to be an existing folder/file-permission system, a user can read/execute the files, an administrator uploaded, as the upload-path for the files, which don't get renamed, is the following path:

http://{TARGET}/upload/files/{UPLOADED_FILE}

This contains a underlaying CSRF vulnerability, too, as a user is in the position to upload a malicious file and trick the administrator into visiting the link to the file and let it being execute.

If you have any questions, feel free to ask. I will publish the technical details as security advisory on my blog (SROEADV-2015-14), see http://sroesemann.blogspot.de.

Greetings.

Steffen

These issues have been assigned the following CVE-IDs: CVE-2015-1603 (XSS vulnerabilities) and CVE-2015-1604 (arbitrary file upload). See http://seclists.org/oss-sec/2015/q1/560.

I followed the interpretation of MITRE, that the file-uploading issue doesn't contain an underlaying CSRF.

Greetings.

Steffen

[AschauerMarvin]

Hi Steffen,
i (hopefully) fixed the xss issues and the missing permission check on the file upload in v4.0.2.
The file upload / extension check is really quirky, but should do it for now.

Additionally, i made it more clear in the readme to don't use that software.

Thank you for your reports!

Greetings,
Marvin