San Francisco: +1 (415) 635 3784  |  Geneva: +41 (022) 723 2424   |  
ImmuniWeb® Login | Register
ImmuniWeb® by High-Tech Bridge


High-Tech Bridge Newsletter

Subscribe to our newsletter and receive some or all of our corporate news, invitations to security events or HTB Security Advisories – you choose what you want to receive.

Multiple vulnerabilities in ImpressCMS

Advisory ID:HTB23064
Product:ImpressCMS
Vendor:The ImpressCMS Project ( http://www.impresscms.org/ )
Vulnerable Versions:1.3 Final and probably prior
Tested Version:1.3 Final
Advisory Publication:December 14, 2011 [without technical details]
Vendor Notification:December 14, 2011
Vendor Fix:December 27, 2011
Public Disclosure:January 4, 2012
Latest Update:December 27, 2011
Vulnerability Type:Cross-Site Scripting [CWE-79]
PHP File Inclusion [CWE-98]
CVE References:CVE-2012-0986
CVE-2012-0987
Risk Level:High
CVSSv2 Base Scores:4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)
Solution Status:Fixed by Vendor
Discovered and Provided:High-Tech Bridge Security Research Lab
 

Advisory Details:

High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in ImpressCMS, which can be exploited to perform cross-site scripting and local file inclusion attacks.

1) Multiple Arbitrary XSS vulnerabilities in ImpressCMS: CVE-2012-0986
1.1 Input appended to the URL after notifications.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in user's browser session in context of affected website.
The following PoC code is available:
<form action='http://[host]/notifications.php/"><script>alert(document.cookie);</scrip t>' method="post">
<input type="hidden" name="del_not" value="1">
<input type="hidden" name="delete_ok" value="">
<input type="submit" value="submit" id="btn">
</form>

Successful exploitation of this vulnerability requires that Apache's directive "AcceptPathInfo" is set to "on" or "default" (default value is "default").
1.2 Input appended to the URL after /modules/system/admin/images/browser.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in administrator's browser session in context of affected website.
The following PoC code is available:
http://[host]/modules/system/admin/images/browser.php/%27%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E/?op=listimg&imgcat_id=1&target=&type=ibrow
Successful exploitation of this vulnerability requires that Apache's directive "AcceptPathInfo" is set to "on" or "default" (default value is "default").
1.3 Input appended to the URL after /modules/content/admin/content.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in administrator's browser session in context of affected website.
The following PoC code is available:
http://[host]/modules/content/admin/content.php/%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E/
Successful exploitation of this vulnerability requires that Apache's directive "AcceptPathInfo" is set to "on" or "default" (default value is "default").

2) Local File Inclusion vulnerability in ImpressCMS: CVE-2012-0987
Input passed via the "icmsConfigPlugins[sanitizer_plugins]" GET parameter to edituser.php is not properly verified before being used to include local files.
This can be exploited to include local files via directory traversal sequences and URL-encoded NULL bytes.
The following PoC is available:
http://[host]/edituser.php?icmsConfigPlugins[sanitizer_plugins][]=../../../tmp/file%00
Successful exploitation of this vulnerability requires that the attacker is registered and logged-in, "magic_quotes_gpc" are off and "Profile" module is disabled.


ImmuniWeb® On-Demand Web Application Penetration Test


Solution:
Upgrade to ImpressCMS 1.2.7 Final or 1.3.1 Final

More information:
http://community.impresscms.org/modules/smartsection/item.php?itemid=579
User Comments and Opinions


Have additional information to submit?
Please feel free to send us any additional information related to this Advisory, such as vulnerable versions, additional exploitation details and conditions, patches and other relevant details.