CVE-2014-9557 SmartCMS Multiple XSS (Cross-Site Scripting) Security Vulnerability

CVE-2014-9557 SmartCMS Multiple XSS (Cross-Site Scripting) Web Application Zero Day Bug

Exploit Title: Smartwebsites SmartCMS v.2 Multiple XSS Security Vulnerabilities
Product: SmartCMS v.2
Vendor: Smartwebsites
Vulnerable Versions: v.2
Tested Version: v.2
Advisory Publication: Jan 22, 2015
Latest Update: Jan 22, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-9557
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
CVSS Version 2 Metrics:
Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type: Allows unauthorized modification
Discover and Reporter: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore (@justqdjing)

Advisory Details:

(1) Vendor & Product Description

Vendor:
Smartwebsites

Product & Version:
SmartCMS v.2

Vendor URL & Download:

http://www.smartwebsites.com.cy/index.php?pageid=13&lang=en

Product Description: 

“SmartCMS is one of the most user friendly and smart content management systems there is in the Cyprus market. It makes the content management of a webpage very easy and simple, regardless of the user's technical skills. When we designed the SmartCMS - Online Content Management System, we had you, the user, in mind. We have put ourselves in your shoes and wandered what would be like to have a simple, yet powerful system that would make the update of a website something fun to do. And here we are now! 6 years passed since the first release of SmartCMS. Now it is a popular and successful system which helps many companies become more competitive and successful online. The SmartCMS systems comes with a batch of useful tools and modules which make your online content management experience enjoyable, while increasing your productivity instantly.

SmartCMS offers you the following:

One complete solution for the content management of your website.

Professional design.

Minimal running cost.

Maximum security and scalability.

Unlimited number of pages, images and files.

Complete control over your website, without the need for specialized technical skills and without any dependencies on third party.

Support for multiple languages.

Quality and reliable professional customer support.

Improved customer service.”

(2) Vulnerability Details:

SmartCMS web application has a computer security problem. Hackers can exploit it by reflected XSS cyber attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.

Several other similar products 0-day vulnerabilities have been found by some other bug researchers before. SmartCMS has patched some of them. "scip AG was founded in 2002. We are driven by innovation, sustainability, transparency, and enjoyment of our work. We are completely self-funded and are thus in the comfortable position to provide completely independent and neutral services. Our staff consists of highly specialized experts who focus on the topic information security and continuously further their expertise through advanced training".

(2.1) The first code flaw occurs at “index.php?” page with “pageid” “lang” multiple parameters.

(2.2) The second code flaw occurs at “sitemap.php?” page with “pageid” “lang” multiple parameters.

References:

http://www.tetraph.com/security/cves/cve-2014-9557

https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01602.html

http://packetstormsecurity.com/files/130076/SmartCMS-2-Cross-Site-Scripting.html

http://marc.info/?l=full-disclosure&m=142196696116422&w=4

http://cxsecurity.com/issue/WLB-2015010130

https://hackertopic.wordpress.com/2015/02/11/cve-2014-9557

http://japanbroad.blogspot.jp/2015/09/smartcms-xss.html

http://securitypost.tumblr.com/post/110696783722/itinfotech-cve-2014-9557

http://exploitarchive.com/smartcms-2-cross-site-scripting/

http://webtechhut.blogspot.com/2015/02/cve-2014-9557-smartcms-multiple-xss.html

http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1502
http://germancast.blogspot.de/2015/08/smartcms-xss.html

http://blog.163.com/greensun_2006/blog/static/11122112201511105129826/

http://itsecurity.lofter.com/post/1cfbf9e7_5c3a4a8