PacerCMS Multiple Vulnerabilities (XSS/SQL)

Credit: dB
Risk: Medium
Local: No
Remote: Yes

CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

PacerCMS Multiple Vulnerabilities (XSS/SQL). -------------------------------------------------------- Product: PacerCMS Version: 0.6 Vendor: Date: 01/22/08 - Introduction PacerCMS is a content management solution for student and non-daily community newspapers. - Details PacerCMS is susceptible to both persistent cross-site scripting and SQL injection attacks. An attacker could use the public 'Write a Letter'(submit.php) form to send a message to the System Administrator or staff member containing Javascript. The name, headline, or text POST variables are not sufficiently sanitized. The system administrator of the CMS sees a list of submitted messages on siteadmin/index.php right after logging in. If an attacker sends a message containing Javascript in the name or headline then the code will be run as soon as the admin logs in. This could lead to a staff member's session being hijacked. Multiple siteadmin pages are vulnerable to SQL injection. Access to these pages are restricted to staff members. - siteadmin/article-edit.php - siteadmin/submitted-edit.php - siteadmin/page-edit.php - siteadmin/section-edit.php - siteadmin/staff-edit.php - siteadmin/staff-access.php Example vulnerable code (article-edit.php) $id = $_GET["id"]; ... $query = "SELECT * FROM cm_articles "; $query .= " WHERE id = $id"; - Proof of Concept http://[site]/pacercms/siteadmin/article-edit.php?id=[SQL] - Solution Authors were notified of security issues and responded quickly. Upgrade to the latest build (0.6.1). Author: dB Email: dB [at] rawsecurity ! org

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021,


Back to Top