PacerCMS Multiple Vulnerabilities (XSS/SQL)

2008.01.25
Credit: dB
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

PacerCMS Multiple Vulnerabilities (XSS/SQL). -------------------------------------------------------- Product: PacerCMS Version: 0.6 Vendor: http://pacercms.sourceforge.net/ Date: 01/22/08 - Introduction PacerCMS is a content management solution for student and non-daily community newspapers. - Details PacerCMS is susceptible to both persistent cross-site scripting and SQL injection attacks. An attacker could use the public 'Write a Letter'(submit.php) form to send a message to the System Administrator or staff member containing Javascript. The name, headline, or text POST variables are not sufficiently sanitized. The system administrator of the CMS sees a list of submitted messages on siteadmin/index.php right after logging in. If an attacker sends a message containing Javascript in the name or headline then the code will be run as soon as the admin logs in. This could lead to a staff member's session being hijacked. Multiple siteadmin pages are vulnerable to SQL injection. Access to these pages are restricted to staff members. - siteadmin/article-edit.php - siteadmin/submitted-edit.php - siteadmin/page-edit.php - siteadmin/section-edit.php - siteadmin/staff-edit.php - siteadmin/staff-access.php Example vulnerable code (article-edit.php) $id = $_GET["id"]; ... $query = "SELECT * FROM cm_articles "; $query .= " WHERE id = $id"; - Proof of Concept http://[site]/pacercms/siteadmin/article-edit.php?id=[SQL] - Solution Authors were notified of security issues and responded quickly. Upgrade to the latest build (0.6.1). Author: dB Email: dB [at] rawsecurity ! org


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top