(Monstra <= 3.0.1 & Anchor <= 0.9) CVE-2014-9006, CVE-2014-9182

2:07 AM



Monstra CMS 3.0.1 (current version at the time of writing) and below Vulnerabilities 

HTTP Response Splitting (CRLF Injection)

http://packetstormsecurity.com/files/129043/Monstra-3.0.1-HTTP-Response-Splitting.html

/plugins/captcha/crypt/cryptographp.php
 
<?php
...
SetCookie("cryptcookietest", "1");
Header("Location:
cryptographp.inc.php?cfg=".$_GET['cfg']."&sn=".session_name()."&".SID);
... ?>

So providing 

http://[host]/[loc]/plugins/captcha/crypt/cryptographp.php?cfg=%0A%0DContent-T
ype:%20text/html%0A%0D%0A%0D%3Cscript%3Ealert%281%29%3C/script%3E& 
 
Using %0A%0D%0A%0D will allow you to add headers. this can be used to cause 
reflective XSS, Content-Spoofing, Open Redirection, and many more. 


Would result a CRLF injection.

Note: PHP version must allow multiple headers. this is fixed >5.1.2 

Bruteforce Mitigation Bypass [CVE-2014-9006]

http://packetstormsecurity.com/files/129082/Monstra-3.0.1-Bruteforce-Mitigation-Bypass.html

admin/index.php

:33-42

// Admin login
if (Request::post('login_submit')) {

    if (Cookie::get('login_attempts') && Cookie::get('login_attempts') >= 5) {

        $login_error = __('You are banned for 10 minutes. Try again
later', 'users');

    } else {

        $user = $users->select("[login='" .
trim(Request::post('login')) . "']", null);
}

 
 
The code blocks bruteforce attempts simply by placing a cookie called 
"login_attempts" in the victims browser an attacker can craft a bruteforce script
that either clears cookies or does not send cookies at all.


Anchor CMS <= 0.9.2 Header Injection [CVE-2014-9182]

Anchor CMS versions 0.9.2 and below suffer from a header injection vulnerability.

Anchor CMS <= 0.9.2 (Current Version)
header injection
in anchor/models/comment.php
 <?php
...
$headers  = 'MIME-Version: 1.0' . "\r\n";
$headers .= 'Content-type: text/html; charset=utf-8' . "\r\n";
$headers .= 'From: notifications@' . $_SERVER['HTTP_HOST'] . "\r\n";
49: mail($to, __('comments.notify_subject'), $message, $headers);
 ...  ?>
so it  is possible to inject arbitary "From" headers or any header
using CRLF. simply by tampering and changing the host to bad.com or
bad.com\r\nNew-Header:Hacked!

You Might Also Like

0 comments