SB2019092107 - Multiple vulnerabilities in TuziCMS
Published: September 21, 2019 Updated: September 23, 2019
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 secuirty vulnerabilities.
1) SQL injection (CVE-ID: CVE-2019-16642)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists in the App\Mobile\Controller\ZhuantiController.class.php file due to insufficient sanitization of user-supplied data passed via the id parameter to index.php/Mobile/Zhuanti/group URL. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
Exploit:
http://[host]/index.php/Mobile/Zhuanti/group?id=1%20and%20(extractvalue(1,concat(0x7e,(select%20user()),0x7e)))
2) SQL injection (CVE-ID: CVE-2019-16644)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists in the App\Home\Controller\ZhuantiController.class.php file due to insufficient sanitization of user-supplied data passed via the id parameter to /index.php/Zhuanti/group URL. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
Exploit:
http://[host]/index.php/Zhuanti/group?id=1 and (extractvalue(1,concat(0x7e,(select VERSION()),0x7e)))
3) Cross-site scripting (CVE-ID: CVE-2019-16657)
The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data passed to the "index.php/article/group/id/2/" when processing the PATH_INFO to a group URI. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Example:
http://[host]/index.php/article/group/id/2/%f6%22%20onmouseover%3dprompt("XSS")%20///1.html
4) Cross-site request forgery (CVE-ID: CVE-2019-16659)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists in routinely managed friendship links due to insufficient validation of the HTTP request origin in the "index.php/manage/link/do_add". A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
Example:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://[host]/tuzicms-master/index.php/manage/link/do_add" method="POST">
<input type="hidden" name="link_name" value="a" />
<input type="hidden" name="link_url" value="http://www.hack.com" />
<input type="hidden" name="link_sort" value="100" />
<input type="hidden" name="link_description" value="aaa" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>5) Cross-site request forgery (CVE-ID: CVE-2019-16658)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in the "index.php/manage/notice/do_add". A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website, such as post announcements.
Example:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://[host]/tuzicms-master/index.php/manage/notice/do_add" method="POST" enctype="multipart/form-data">
<input type="hidden" name="notice_title" value="hacker" />
<input type="hidden" name="notice_url" value="http://www.hacker.com" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.