Post Mon May 20, 2013 3:05 am

HTB23153: Multiple Vulnerabilities in Jojo CMS

Advisory ID: HTB23153
Product: Jojo CMS
Vendor: The Jojo Team
Vulnerable Versions: 1.2 and probably prior
Tested Version: 1.2
Vendor Notification: April 17, 2013
Vendor Fix: May 6, 2013
Public Disclosure: May 15, 2013
Vulnerability Type: SQL Injection [CWE-89]
Cross-Site Scripting [CWE-79]
CVE References: CVE-2013-3081
CVE-2013-3082
Risk Level: Medium
CVSSv2 Base Scores: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab

Advisory Details:

High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Jojo CMS, which can be exploited to perform SQL Injection and Cross-Site Scripting (XSS) attacks.


1) SQL Injection in Jojo CMS: CVE-2013-3081

The vulnerability is caused by insufficient filtration of user-supplied input passed to the "X-Forwarded-For" HTTP header in "/articles/test/" URI. A remote unauthenticated attacker can send a specially crafted HTTP request and execute arbitrary SQL commands in application’s database.

The PoC code below will create a file "/var/www/file.php" containing content of "comment" table (if web and database server configurations allow):
  Code:
POST /articles/test/ HTTP/1.1
X-Forwarded-For: ' OR 1=1 INTO OUTFILE '/var/www/file.php' --
Content-Type: application/x-www-form-urlencoded
Content-Length: 88

name=name&email=user%40mail.com&website=&anchortext=&comment=comment&submit=Post+Comment


The above-mentioned PoC code can be used to execute arbitrary PHP code on the vulnerable system if the attacker creates a comment containing PHP code.

Successful exploitation of the vulnerability requires that "jojo comments" plugin is enabled (disabled by default).


2) Cross-Site Scripting (XSS) in Jojo CMS: CVE-2013-3082

The vulnerability exists due to insufficient filtration of user-supplied data passed to "search" HTTP POST parameter in "/forgot-password/" URI. A remote attacker can trick a user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

The exploitation example below uses the "alert()" JavaScript function to display user's cookies:
  Code:
<form action="http://jojo/forgot-password/" method="post">
<input type="hidden" name="search" value='<script>alert(document.cookike);</script>'>
<input type="submit" id="btn">
</form>


Solution:
Upgrade to Jojo CMS to version 1.2.2

More Information:
https://github.com/JojoCMS/Jojo-CMS
https://github.com/JojoCMS/Jojo-CMS/com ... add3a987d8
https://github.com/JojoCMS/Jojo-CMS/com ... 2cbf2d2236


References:
[1] High-Tech Bridge Advisory HTB23153 - https://www.htbridge.com/advisory/HTB23153 - Multiple vulnerabilities in Jojo CMS
[2] Jojo CMS - http://www.jojocms.org/ - Jojo is a PHP-based free CMS for web developers wanting to build good websites.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.