chillyCMS Multiple Vulnerabilities

看板Bugtraq作者admin.時間15年前 (2010/09/08 02:01)推噓0(0推 0噓 0→)

留言0則, 0人參與討論串1/1

##########################www.BugReport.ir##################################= ###### # # AmnPardaz Security Research Team # # Title:=09=09chillyCMS Multiple Vulnerabilities # Vendor:=09=09http://frozenpepper.de/ # Vulnerable Version:=091.1.3 (Latest version till now) # Exploitation:=09=09Remote with browser # Fix:=09=09=09N/A ############################################################################= ####### #################### - Description: #################### chillyCMS is a Content Management System. Its main features are: =20 easily edit your content in a WYSIWYG editor, manage your users in different groups with different rights, upload =20 single files or whole zip archives, insert your pictures into the content by drag and drop, one click =20 backup with integrated installer, extend your cms with various modules, see which articles are most =20 popular in the statistics. #################### - Vulnerability: #################### +--> SQL Injection =09The username, in the login form, is one-parenthesis single-quoted =20 injectable. For details check =09the PoC section. +--> Reflective XSS =09Whenever login failed, the username will be printed without =20 sanitizing on the main page. This could =09be used for executing any JavaScript code. #################### - Exploits/PoCs: #################### +--> Exploiting The (MySQL) SQL Injection Vulnerability: =09Simply go to the login page at =20 'victim.com/chillyCMS/core/show.site.php' and use =09the following vector for injecting arbitrary queries: =09 ') or $THE_QUERY or 1=3D(' =09For example you may use following vector for extracting the pw field =20 (for password) of the admin user =09 admin')and substr(pw,I,1)=3D('C =09replacing the I with the index of char in a loop and C with different =20 characters of it. If the query result =09was true, username will be accepted and wrong password error will be =20 shown. If the query result was false, =09then username will be rejected and the wrong username error will be =20 shown. Allowing blind SQL injection =09to be performed. +--> Exploiting The Reflective XSS Vulnerability: =09Use the following sample vector in the username field of the login =20 page (or any other valid JavaScript =09code) =3D> username: <script>alert('XSS')</script> #################### - Solution: #################### White-list the input parameters before using them in the SQL queries, =20 removing any ', \, ( characters or more simply restrict the parameters' length to a small length. #################### - Credit: #################### AmnPardaz Security Research & Penetration Testing Group Contact: admin[4t}bugreport{d0t]ir www.BugReport.ir www.AmnPardaz.com

‣ 返回看板[ Bugtraq ] 臭蟲

‣ 更多 admin. 的文章

文章代碼(AID): #1CXdtVdi (Bugtraq)