BugReport.ir - noCMS <= 2.4 Multiple Vulnerability

######################################### www.BugReport.ir ########################################
#
#						AmnPardaz Security Research Team
#
# Title:					noCMS Multiple Vulnerability
# Vendor:					http://www.noict.com/
# Vulnerable Version:		2.4 (prior versions also may be affected)
# Exploitation:				Remote
# Exploit:					Available
# Impact:					High
# Fix:						N/A
###################################################################################################

####################
1. Description:
####################

	noCMS is a Content Management System in ASP language with MSSQL Its main features are: easily edit the content in a FCKeditor, manage website,add users with different privilege, manage language of website.
	This CMS is not open-source and is accessible for private use by the author company for designing their customer's websites.  

####################
2. Vulnerabilities:
####################

	2.1. Injection Flaws. SQL Injection in the "lang_id" and "id" parameters.
		2.1.1. Exploit:
						Check the exploit/POC section.

	2.2. FCKEditor Arbitrary File Upload. The problem is that it is possible to upload files on the webserver.
		2.2.1. Exploit:
						Check the exploit/POC section.	

	2.3. Injection Flaws. Blind SQL Injection in Cookie in the "Lang_ID" parameter.
		2.2.1. Exploit:
						Check the exploit/POC section.
	
	2.4. Cross Site Scripting (XSS). Reflected XSS attack in "/contactresponse.asp" in "msg" parameter.
		2.2.1. Exploit:
						Check the exploit/POC section.
						
####################
3. Exploits/PoCs:
####################

	3.1 & 3.2.  http://www.bugreport.ir/80/exploit.htm

	3.3. POC: http://[URL]/
			In the cookie parameter sets  --->  Lang_ID=1; WAITFOR DELAY '0:0:5'--;

	3.4. POC: http://[URL]/contactresponse.asp?msg=<script>alert(document.cookie)</script>

####################
4. Solution:
####################

	4.1 & 4.3 & 4.4.  Edit the source code to ensure that inputs are properly sanitized.
	
	4.2. Restrict and grant only trusted users access to the resources.

####################
5. Credit:
####################

AmnPardaz Security Research & Penetration Testing Team
Contact: admin[4t}bugreport{d0t]ir
www.BugReport.ir
www.AmnPardaz.com