Multiple vulnerabilities in ImpressCMS

[advisory () htbridge ch]

Vulnerability ID: HTB23064
Reference: https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_impresscms.html
Product: ImpressCMS
Vendor: The ImpressCMS Project ( http://www.impresscms.org/ ) 
Vulnerable Version: 1.3 Final  and probably prior
Tested Version: 1.3 Final 
Vendor Notification: 14 December 2011 
Vendor Patch: 27 December 2011 
Vulnerability Type: XSS, Local file inclusion
Status: Fixed by Vendor
Risk level: High 
Credit: High-Tech Bridge SA Security Research Lab ( https://www.htbridge.ch/advisory/ ) 

Advisory Details:
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in ImpressCMS, which can be exploited 
to perform cross-site scripting and local file inclusion attacks. 

1) Input appended to the URL after notifications.php is not properly sanitised before being returned to the user. 
This can be exploited to execute arbitrary HTML and script code in user's browser session in context of affected 
website.

The following PoC code is available:


<form action='http://[host]/notifications.php/";><script>alert(document.cookie);</script>' method="post">
<input type="hidden" name="del_not" value="1">
<input type="hidden" name="delete_ok" value="">
<input type="submit" value="submit" id="btn"> 
</form>


Successful exploitation of this vulnerability requires that Apache's directive "AcceptPathInfo" is set to "on" or 
"default" (default value is "default"). 

2) Input appended to the URL after /modules/system/admin/images/browser.php is not properly sanitised before being 
returned to the user. 
This can be exploited to execute arbitrary HTML and script code in administrator's browser session in context of 
affected website.

The following PoC code is available:

http://[host]/modules/system/admin/images/browser.php/%27%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E/?op=listimg&imgcat_id=1&target=&type=ibrow

Successful exploitation of this vulnerability requires that Apache's directive "AcceptPathInfo" is set to "on" or 
"default" (default value is "default"). 

3) Input appended to the URL after /modules/content/admin/content.php is not properly sanitised before being returned 
to the user. 
This can be exploited to execute arbitrary HTML and script code in administrator's browser session in context of 
affected website.

The following PoC code is available:

http://[host]/modules/content/admin/content.php/%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E/

Successful exploitation of this vulnerability requires that Apache's directive "AcceptPathInfo" is set to "on" or 
"default" (default value is "default"). 

4) Input passed via the "icmsConfigPlugins[sanitizer_plugins]" GET parameter to edituser.php is not properly verified 
before being used to include local files. 
This can be exploited to include local files via directory traversal sequences and URL-encoded NULL bytes.

The following PoC is available:

http://[host]/edituser.php?icmsConfigPlugins[sanitizer_plugins][]=../../../tmp/file%00

Successful exploitation of this vulnerability requires that the attacker is registered and logged-in, 
"magic_quotes_gpc" are off and "Profile" module is disabled.

Solution: Upgrade to ImpressCMS 1.2.7 Final or 1.3.1 Final

More information:
http://community.impresscms.org/modules/smartsection/item.php?itemid=579

Disclaimer: Details of this Advisory may be updated in order to provide as accurate information as possible. The latest 
version of the Advisory is available on the web page in Reference field.