1024CMS Blind SQL Injection Vulnerability
##########################www.BugReport.ir##################################=
######
#
# AmnPardaz Security Research Team
#
# Title:=09=091024CMS Blind SQL Injection Vulnerability
# Vendor:=09=09http://www.1024cms.org/
# Vulnerable Version:=092.1.1 (Latest version till now)
# Exploitation:=09=09Remote with browser
# Fix:=09=09=09N/A
############################################################################=
#######
####################
- Description:
####################
1024CMS is a PHP-based CMS which uses MySQL as its backend DBMS. It =20
support forums, downloads,
search capability, BB code capability, gallery, chat and RSS services.
####################
- Vulnerability:
####################
+--> Blind SQL Injection
=09The RSS page (rss.php) is vulnerable to SQL injection. The GET =20
variable 'id' is
=09not sanitized correctly in the SQL query. This hole can be used for =20
extracting
=09admin password. For details see 'Exploits' section.
####################
- Exploits/PoCs:
####################
http://www.bugreport.ir/69/exploit.htm
####################
- Solution:
####################
Remove rss.php and wait for bug fixation by vendor or escape GET =20
parameter in file rss.php using the
vendor string escaping function 'quote_smart' as is used in all of =20
other files else of this one.
####################
- Original Advisory:
####################
http://www.bugreport.ir/index_69.htm
####################
- Credit:
####################
AmnPardaz Security Research & Penetration Testing Group
Contact: admin[4t}bugreport{d0t]ir
www.BugReport.ir
www.AmnPardaz.com