Wolf CMS Arbitrary File Upload To Command Execution - CVE-2015-6567 ,CVE-2015-6568

Wolf CMS  Arbitrary File Upload To Command Execution

Full Technical Disclosure Of  Wolf CMS  Arbitrary File Upload To Command Execution



# Exploit Title          : Wolf CMS 0.8.2 Arbitrary File Upload To Command Execution
# Reported Date      : 05-May-2015
# Fixed Date             : 10-August-2015
# Exploit Author     : Narendra Bhati
# CVE ID                  : CVE-2015-6567 , CVE-2015-6568
# Additional Links -
* https://github.com/wolfcms/wolfcms/releases/
* https://www.wolfcms.org/blog/2015/08/10/releasing-wolf-cms-0-8-3-1.html
1. Description

Abusing Windows Opener To Bypass Certain Restriction ( CSRF Bypass )

Hello all =D , Hope you are doing well

Today we will see that how we can Abuse Windows Opener function to bypass certain restriction in web application.

So first lets see what is Windows Opener Function

According To Mozilla Developer Guide 

When a window is opened from another window, it maintains a reference to that first window aswindow.opener. If the current window has no opener, this method returns NULL.  Windows Phone browser does not support window.opener.  It is also not supported in IE if the opener is in a different security zone.

===================================================================

NPDS CMS SQL Injection - CVE-2015-1400

Hello folks ! its a long time left i did not write any finding from 2 months , So today i will share one of my finding about NPDS CMS Time Based SQL Injection



What Is NPDS CMS - Beyond content management 'classic', NPDS implements a set of functions specifically dedicated to the management of community and collaborative working groups.
This is a C ontent & C ommunity M anagement S ystem ( CCMS) robust, secure, complete, efficient and really speaking French. Manage your community of users, your collaborative work groups, publish, manage and organize your content with powerful tools available basis.

You can find more about NPDS CMS from this link

So lets come to the finding !

X3 CMS XSS And CSRF "CVE-2014-8771 , CVE-2014-8772"

Hello all friends , today i am disclosing the issue which i found in X3CMS ( 0.5.1 & 0.5.1.1 )

So Here Is The X3 CMS XSS And CSRF



There were two vulnerabilities ,

1.) CSRF

2.) Reflected XSS [POST]

There were a xss in X3CMS ( 0.5.1 & 0.5.1.1 ) on "search" parameter which only exploitable by an authenticated user ( Post XSS ) ,

Modx XSS And CSRF Bypass "CVE-2014-8773 , CVE-2014-8774 , CVE-2014-8775"

Modx XSS And CSRF Bypass

Hello all Bro`s :) ;) , Leets and learners , Hope you all are well and enjoying your bounties as well as ;)

Today we will see how i got Modx XSS And CSRF Bypass ( Modx CSRF + XSS = A Perfect Disaster  ) ;)

Attacker Scenario Is Inspired From Symantec CSRF

So What Is Modx

MODX is the web content management system (CMS) that gives you complete control over your site and content, with the flexibility and scalability

Wordfence Firewall Plugin XSS "CVE-2014-4664"

"Wordfence Firewall Plugin XSS"  "CVE-2014-4664"

Hello All Friends , Its a long time gone that i talk or post about XSS Vulnerability , My last post about XSS was Google XSS Which i was found in last year @ starting of my carrier

So lets come to post

Today we will see that how i got "Word Press Firewall Plugin Wordfence  XSS"

Symantec CSRF Bypass Vulnerability

Symantec CSRF Vulnerability
Hello friends here i came with another vulnerability article

Symantec Antivirus Well Known Anti Virus Official Website Vulnerable To CSRF Vulnerability...

First i go to symantec customer log in page and created my own test accounting for testing....I Switch to Live Http Headers , and then i suck , Why !! there is a CSRF Tokens called "Nonce"