Multiple Vulnerabilities in Jojo CMS

Advisory ID:	HTB23153
Product:	Jojo CMS
Vendor:	The Jojo Team
Vulnerable Versions:	1.2 and probably prior
Tested Version:	1.2
Advisory Publication:	April 17, 2013 [without technical details]
Vendor Notification:	April 17, 2013
Vendor Fix:	May 6, 2013
Public Disclosure:	May 15, 2013
Latest Update:	May 14, 2013
Vulnerability Type:	SQL Injection [CWE-89] Cross-Site Scripting [CWE-79]
CVE References:	CVE-2013-3081 CVE-2013-3082
Risk Level:	Medium

CVSSv2 Base Scores:	6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Solution Status:	Fixed by Vendor
Discovered and Provided:	High-Tech Bridge Security Research Lab
Advisory Details:
High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Jojo CMS, which can be exploited to perform SQL Injection and Cross-Site Scripting (XSS) attacks. 1) SQL Injection in Jojo CMS: CVE-2013-3081 The vulnerability is caused by insufficient filtration of user-supplied input passed to the "X-Forwarded-For" HTTP header in "/articles/test/" URI. A remote unauthenticated attacker can send a specially crafted HTTP request and execute arbitrary SQL commands in application’s database. The PoC code below will create a file "/var/www/file.php" containing content of "comment" table (if web and database server configurations allow): POST /articles/test/ HTTP/1.1 X-Forwarded-For: ' OR 1=1 INTO OUTFILE '/var/www/file.php' -- Content-Type: application/x-www-form-urlencoded Content-Length: 88 name=name&email=user%40mail.com&website=&anchortext=&comment=comment&s ubmit=Post+Comment The above-mentioned PoC code can be used to execute arbitrary PHP code on the vulnerable system if the attacker creates a comment containing PHP code. Successful exploitation of the vulnerability requires that "jojo comments" plugin is enabled (disabled by default). 2) Cross-Site Scripting (XSS) in Jojo CMS: CVE-2013-3082 The vulnerability exists due to insufficient filtration of user-supplied data passed to "search" HTTP POST parameter in "/forgot-password/" URI. A remote attacker can trick a user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. The exploitation example below uses the "alert()" JavaScript function to display user's cookies: <form action="http://jojo/forgot-password/" method="post"> <input type="hidden" name="search" value='<script>alert(document.cookike);</script>'> <input type="submit" id="btn"> </form>
How to Detect SQL Injection Vulnerabilities Website Security Test GDPR & PCI DSS Test Website CMS Security Test CSP & HTTP Headers Check WordPress & Drupal Scanning Try For Free Solution:
Upgrade to Jojo CMS to version 1.2.2 More Information: https://github.com/JojoCMS/Jojo-CMS https://github.com/JojoCMS/Jojo-CMS/commit/972757c4500d94b4b1306bf092e678add3a987d8 https://github.com/JojoCMS/Jojo-CMS/commit/9c000f961635e35e9984a8c16ca69c2cbf2d2236

References:
[1] High-Tech Bridge Advisory HTB23153 - https://www.immuniweb.com/advisory/HTB23153 - Multiple vulnerabilities in Jojo CMS [2] Jojo CMS - http://www.jojocms.org/ - Jojo is a PHP-based free CMS for web developers wanting to build good websites. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.

Previous Security Advisories with CWE-89:

HTB23152: SQL Injection in b2evolution

HTB23148: SQL Injection Vulnerability in Symphony

Have additional information to submit?
Please feel free to send us any additional information related to this Advisory, such as vulnerable versions, additional exploitation details and conditions, patches and other relevant details.