SB2018070209 - Multiple vulnerabilities in HongCMS
Published: July 2, 2018 Updated: October 21, 2019
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 13 secuirty vulnerabilities.
1) Arbitrary file upload (CVE-ID: CVE-2018-13021)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to the application allows unrestricted upload of dangerous files in "admin/index.php/template/upload" URI. A remote authenticated user can upload a malicious PHP script on the server and execute it.
2) Cross-site request forgery (CVE-ID: CVE-2018-10265)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website, such as add an administrator account via the admin/index.php/users/save URI.
3) Cross-site scripting (CVE-ID: CVE-2019-17607)
The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data when processing the install/index.php servername parameter. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
4) Cross-site scripting (CVE-ID: CVE-2019-17608)
The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data when processing the install/index.php dbname parameter. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
5) Cross-site scripting (CVE-ID: CVE-2019-17609)
The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data when processing the install/index.php dbusername parameter. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
6) Cross-site scripting (CVE-ID: CVE-2019-17610)
The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data when processing the install/index.php dbpassword parameter. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
7) Cross-site scripting (CVE-ID: CVE-2019-17611)
The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data when processing the install/index.php tableprefix parameter. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
8) Cross-site scripting (CVE-ID: CVE-2018-12266)
The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in systemerrors404.php when processing crafted input that triggers a 404 HTTP status code. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
9) Path traversal (CVE-ID: CVE-2018-16774)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can send a specially crafted HTTP request to the admin/index.php/language/ajax?action=delete URL and delete arbitrary files on the system.
This vulnerability can be exploited via CSRF attack vector.
10) Path traversal (CVE-ID: CVE-2019-8407)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can send a specially crafted HTTP request to the admin/index.php/language/edit URI and read arbitrary files on the system.
11) Path traversal (CVE-ID: CVE-2019-16867)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can send a specially crafted HTTP request to the admin/index.php/database/ajax?action=delete URL and delete arbitrary files on the system.
Note, this vulnerability can be exploited via the CSRF attack vector.
12) SQL injection (CVE-ID: CVE-2018-12912)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the admin/index.php/database/operate?dbaction=emptytable&tablename= URL. A remote authenticated attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
13) Stored cross-site scripting (CVE-ID: CVE-2018-10422)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can permanently inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.
References
- https://github.com/Neeke/HongCMS/issues/5
- https://github.com/Neeke/HongCMS/issues/1
- https://cdn1.imggmi.com/uploads/2019/10/13/94ef1b084a074ffd9ef63408529aed17-full.png
- https://cdn1.imggmi.com/uploads/2019/10/13/e561884443c495286993e186f44dfd1f-full.png
- https://cxsecurity.com/issue/WLB-2019100100
- https://github.com/lzlzh2016/CVE/blob/master/XSS.md
- https://github.com/Neeke/HongCMS/issues/6
- https://github.com/Neeke/HongCMS/issues/7
- https://github.com/Neeke/HongCMS/issues/12
- https://github.com/Neeke/HongCMS/issues/4
- https://www.exploit-db.com/exploits/44953/
- https://github.com/Neeke/HongCMS/issues/2