SB2018012319 - Multiple vulnerabilities in noneCMS

Description

This security bulletin contains information about 5 vulnerabilities.

1) Path traversal (CVE-ID: CVE-2018-6022)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in application/admin/controller/Main.php in NoneCms through 1.3.0. A remote authenticated attacker can send a specially specially crafted HTTP request and delete arbitrary files by leveraging back-office access to provide a "." (dot) in the param.path parameter.

2) Cross-site request forgery (CVE-ID: CVE-2018-7219)

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin within application/admin/controller/Admin.php in NoneCms 1.3.0. A remote attacker can trick the victim to visit a specially specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website, such as changing an admin password or adding an account.

3) Code Injection (CVE-ID: CVE-2018-20062)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation within the "thinkphp/library/think/App.php" file. A remote attacker can pass a PHP code directly via the "filter" HTTP GET parameter and execute arbitrary PHP code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

4) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2018-6029)

The disclosed vulnerability allows a remote attacker to perform SSRF attacks.

The vulnerability exists in the "copy" function in "application/admin/controller/Article.php" because URL validation only considers whether the URL contains the "csdn" substring. A remote attacker can send a specially crafted HTTP request, trick the application to initiate requests to arbitrary systems and access the content of internal and external network resources.

Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.

5) Cross-site request forgery (CVE-ID: CVE-2019-16721)

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin in the "public/index.php/admin/admin/dele.html". A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website, such as deleting the admin user.

PoC:

 <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://[host]/public/index.php/admin/admin/dele.html">
      <input type="hidden" name="id" value="10" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

• http://blackwolfsec.cc/2018/01/22/Nonecms/
• http://foreversong.cn/archives/1081
• https://github.com/nangge/noneCms/issues/21
• http://blackwolfsec.cc/2018/01/23/Nonecms_ssrf/
• http://www.iwantacve.cn/index.php/archives/337/