FineCMS multi vulnerablity

# Reflected XSS in get_image.php # ## Technical Description: ## file `/application/lib/ajax/get_image.php` the `$_POST['id']` and `$_POST['name']` and `$_GET['folder']` without any validated, sanitised or output encoded. ## Proof of Concept(PoC) ## ``` http://your_finecms/application/lib/ajax/get_image.php?folder=1 POST: id=1"><script>alert(1)</script>&name=1 ``` ![image.png-45.5kB][1] # Arbitrary File Modify # ## Technical Description: ## The base function for modify the template can modify the filename,this leads to the Arbitrary File Modify, who could allow attacker getshell. file `/appalication/core/controller/template.php` line50-line53 ![image.png-56.1kB][2] follow function save() file `/appalication/core/model/template.php` line26-line48 ![image.png-118.8kB][3] if file exists, we can modify it whihout any limit. insterestingly, there are two more Vulnerability for same function in different files. file `/appalication/core/model/style.php` line26-line48 ![image.png-97.3kB][4] file `/appalication/core/model/script.php` line26-line48 ![image.png-101.7kB][5] ## Proof of Concept(PoC) ## ``` http://your_finecms/index.php?route=template http://your_finecms/index.php?route=style http://your_finecms/index.php?route=script POST: contents=<?php phpinfo();?>&filename={any exist filename}&savabutton=Zapisz ``` ![image.png-71.9kB][6] # Authenticated SQL injection # all FineCMS use PDO to connect the mysql server, so all the data without any validated, sanitised or output encoded injection database.but in `application/core/controller/excludes.php`, the website author use mysqli to connect mysql server.the lead SQL injection, who could allow attacker use some payload to get data in database. ## Technical Description: ## file `application/core/controller/excludes.php` line75, the visitor_ip insert into database without any validated, sanitised or output encoded. ![image.png-114.8kB][7] file `/stat/get_stat_data.php` line30 ![image.png-149.7kB][8] the sql inject into sql_query and execute. ## Proof of Concept(PoC) ## ``` http://your_finecms/index.php?route=excludes&action=add POST: visitor_ip=1%27%2Csleep%281%29%2C%271&save_button=Zapisz ``` and view `http://your_finecms/stat/get_stat_data.php`,we can feel website loading sleep. ![image.png-138.7kB][9] # Stored XSS in images.php # FineCMS allow admin to upload image into gallery, and it will show image data into pages, but some data will output into pages without any validated, sanitised or output encoded. they allow attacker Cross Site Scripting. ## Technical Description: ## when we upload the file file `application/core/controller/images.php` line87 ![image.png-145.9kB][10] and follow the function add() file `application/core/model/images.php` line78 ![image.png-381.2kB][11] if filetype startwith "image",the filetype will insert into database when we view the detail of the images file `application/lib/generators/view.php` line106, somethings will output into pages. ![image.png-264kB][12] ## Proof of Concept(PoC) ## view the `http://your_finecms/index.php?route=images&action=add` and upload picture ![image.png-105.7kB][13] modify the picture's filetype ![image.png-96.1kB][14] view the detail of picture ![image.png-63.7kB][15] ![image.png-379.4kB][16] Because of the vulnerability also in edit detail page. so you also can use edit to insert Script code in pages. `http://your_finecms/index.php?route=images&action=edit&id=15` ![image.png-1782.9kB][17] view the detail of picture ![image.png-75.7kB][18] # Stored XSS in visitors.php # FineCMS stores all the visitors the visit url, but in detail of log they output into pages without any validated, sanitised or output encoded. they allow attacker Cross Site Scripting. ## Technical Description: ## just like last vulnerability. ## Proof of Concept(PoC) ## visit any page with js script code. such as ``` index.php?route=images&action=view&id=14'"><script>alert(1)</script> ``` ![image.png-134.2kB][19] when the admin view the visitors page ![image.png-116.3kB][20] [1]: http://static.zybuluo.com/LoRexxar/upp53a9g2rjp12f26zhasl1g/image.png [2]: http://static.zybuluo.com/LoRexxar/q0ayssqxahs879g1trop4exj/image.png [3]: http://static.zybuluo.com/LoRexxar/j95u7e6t33l4hmbf0jrm9gdy/image.png [4]: http://static.zybuluo.com/LoRexxar/3t4fdkynao3phgvrzvr4t15x/image.png [5]: http://static.zybuluo.com/LoRexxar/cnd0loduyqtth6erbi46cmyn/image.png [6]: http://static.zybuluo.com/LoRexxar/rz0qs8z010pwc28dcd52atqx/image.png [7]: http://static.zybuluo.com/LoRexxar/ea1jsrc1xg8davd5e5w0pttt/image.png [8]: http://static.zybuluo.com/LoRexxar/dybx3reszpvsjhiu1on89r2d/image.png [9]: http://static.zybuluo.com/LoRexxar/kkxzyoant4pe8tnsnicd8k8f/image.png [10]: http://static.zybuluo.com/LoRexxar/74ul5xooczaxpg206d6znv2q/image.png [11]: http://static.zybuluo.com/LoRexxar/4lsz3mz01d8ysx5thw9oj2k4/image.png [12]: http://static.zybuluo.com/LoRexxar/nymbt5qdk778cc1yvy69uslo/image.png [13]: http://static.zybuluo.com/LoRexxar/i8hu05cr40z0fu2zn1grzdof/image.png [14]: http://static.zybuluo.com/LoRexxar/t63b12ssv4yrtk41ekxlv89f/image.png [15]: http://static.zybuluo.com/LoRexxar/kz6ui41jqevfcjorprg3qkhe/image.png [16]: http://static.zybuluo.com/LoRexxar/43zaks1jdrixsex5ta32eicr/image.png [17]: http://static.zybuluo.com/LoRexxar/g2uet579ds3r84b0accjiej8/image.png [18]: http://static.zybuluo.com/LoRexxar/o77vcyetozz2660axyce4ix5/image.png [19]: http://static.zybuluo.com/LoRexxar/7tw2wp6jwd20c2r5wgwq9nvp/image.png [20]: http://static.zybuluo.com/LoRexxar/zou64frybxrhe3aaao7utwxn/image.png