(Monstra <= 3.0.1 & Anchor <= 0.9) CVE-2014-9006, CVE-2014-9182

2:07 AM



Monstra CMS 3.0.1 (current version at the time of writing) and below Vulnerabilities 

HTTP Response Splitting (CRLF Injection)

http://packetstormsecurity.com/files/129043/Monstra-3.0.1-HTTP-Response-Splitting.html

/plugins/captcha/crypt/cryptographp.php
 
<?php
...
SetCookie("cryptcookietest", "1");
Header("Location:
cryptographp.inc.php?cfg=".$_GET['cfg']."&sn=".session_name()."&".SID);
... ?>

So providing 

http://[host]/[loc]/plugins/captcha/crypt/cryptographp.php?cfg=%0A%0DContent-T
ype:%20text/html%0A%0D%0A%0D%3Cscript%3Ealert%281%29%3C/script%3E& 
 
Using %0A%0D%0A%0D will allow you to add headers. this can be used to cause 
reflective XSS, Content-Spoofing, Open Redirection, and many more. 


Would result a CRLF injection.

Note: PHP version must allow multiple headers. this is fixed >5.1.2 

Bruteforce Mitigation Bypass [CVE-2014-9006]

http://packetstormsecurity.com/files/129082/Monstra-3.0.1-Bruteforce-Mitigation-Bypass.html

admin/index.php

:33-42

// Admin login
if (Request::post('login_submit')) {

    if (Cookie::get('login_attempts') && Cookie::get('login_attempts') >= 5) {

        $login_error = __('You are banned for 10 minutes. Try again
later', 'users');

    } else {

        $user = $users->select("[login='" .
trim(Request::post('login')) . "']", null);
}

 
 
The code blocks bruteforce attempts simply by placing a cookie called 
"login_attempts" in the victims browser an attacker can craft a bruteforce script
that either clears cookies or does not send cookies at all.


Anchor CMS <= 0.9.2 Header Injection [CVE-2014-9182]

Anchor CMS versions 0.9.2 and below suffer from a header injection vulnerability.

Anchor CMS <= 0.9.2 (Current Version)
header injection
in anchor/models/comment.php
 <?php
...
$headers  = 'MIME-Version: 1.0' . "\r\n";
$headers .= 'Content-type: text/html; charset=utf-8' . "\r\n";
$headers .= 'From: notifications@' . $_SERVER['HTTP_HOST'] . "\r\n";
49: mail($to, __('comments.notify_subject'), $message, $headers);
 ...  ?>
so it  is possible to inject arbitary "From" headers or any header
using CRLF. simply by tampering and changing the host to bad.com or
bad.com\r\nNew-Header:Hacked!

You Might Also Like

4 comments

  1. Thanks for sharing these niche piece of knowledge. Here, I had a solution for my inconclusive problems & it’s really helps me a lot keep updates…
    PHP Course in Chennai|PHP Training Chennai

    ReplyDelete
  2. Thanks for sharing this information. This is very useful. Thanks mate. Excellent post!!!. The strategy you
    Web design institute chennai

    ReplyDelete
  3. Maybe you have some mistakes in your code. You can fix them and try again. I've read this guide http://hitthegrade.com last week. It will help in code writing and in future practice.

    ReplyDelete