Multiple vulnerabilities have been discovered in SyndeoCMS, which can be exploited by malicious users to conduct script insertion attacks, SQL injection attacks, and compromise a vulnerable system and by malicious people to conduct cross-site request forgery attacks.

1) Input passed via the "name" parameter to starnet/index.php when editing alerts is not properly sanitised before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.

Successful exploitation requires "Alerts" access rights.

2) The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. change the administrative password or edit the module values by tricking a logged in administrative user into visiting a malicious web site.

Successful exploitation of this vulnerability requires "SyndeoCMS Options" access rights and that "magic_quotes_gpc" is disabled.

3) Input passed via the "class[]" POST parameters (when editing a teacher within the "Teacher" configuration), the "project[]" POST parameters (e.g. when editing a pupil within the "Pupils & Groups" configuration), the "sections" POST parameter (when editing an alert within the "Alerts" configuration), the "send_email" POST parameter (when editing a project within the "Projects" configuration), and the "send_alerts" and "send_alerts_per_section" POST parameters (when editing the configuration withing the "Alerts" configuration) to starnet/index.php is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation of this vulnerability requires access rights to the respective "Configuration" sections.

4) Input passed via the "search_arg" POST parameter to starnet/index.php (when using the "Search" functionality within the "Newsletter" module) is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

5) Input passed via the "logging" POST parameter to starnet/index.php (when creating a poll within the "Polls" module) is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

6) Input passed e.g. via the "article_content" POST parameter to starnet/index.php (when editing an article within the "News" module) is not properly sanitised in the "sanitize()" function (starnet/core/common.inc.php) before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation of vulnerabilities #4 through #6 requires access rights to the respective modules in "Module Manager".

7) Input passed via the "header[1]", "section[1]", "status[1]", "menu[1]", "content[0]", and "footer[1]" POST parameters (when "option" is set to "modulemanager", "module" is set to "4", and "modoption" is set to "saveconfig") to starnet/index.php is not properly verified before being used to include files in application sections using the "Template" module. This can be exploited to include arbitrary files from local resources through path traversal attacks and e.g. execute arbitrary code when e.g. a specific application section is visited.

Successful exploitation of this vulnerability requires access rights to the "Template" module and a web site section using the “Template” module (e.g. protected area in default configuration).

8) The application improperly validates uploaded files via e.g. the image upload functionality of the CKEditor, which can be exploited to execute arbitrary PHP code by uploading a PHP file with e.g. an appended ".jpg" file extension.

Successful exploitation of this vulnerability requires that the web server is not configured to handle the mime-types for files with e.g. a ".jpg" or ".gif" extension.

9) Input passed via the "header" parameter to starnet/index.php when using the "Template editor" module is not properly sanitised before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.

Successful exploitation of this vulnerability requires "Module manager" permissions.

Solution
Update to version 3.0.01

Provided and/or discovered by
1) abysssec
2, 9) High-Tech Bridge SA
5 - 8) Secunia Research

Changelog
Further details available to Secunia VIM customers

Original Advisory
SyndeoCMS:
http://www.syndeocms.org/index.php?section=2&page=4#24

High-Tech Bridge SA:
http://www.htbridge.ch/advisory/xss_vulnerability_in_syndeocms.html
http://www.htbridge.ch/advisory/xss_vulnerability_in_syndeocms_1.html
http://www.htbridge.ch/advisory/xss_vulnerability_in_syndeocms_2.html

abysssec:
http://www.exploit-db.com/exploits/14887/

Secunia Research:
http://secunia.com/secunia_research/2012-10/
http://secunia.com/secunia_research/2012-11/
http://secunia.com/secunia_research/2012-12/

Deep Links
Links available to Secunia VIM customers